2.8. Référence des commandes de l'administrateur de la CLI d'OpenShift
Cette référence fournit des descriptions et des exemples de commandes pour les commandes administrateur de l'OpenShift CLI (oc). Vous devez disposer de cluster-admin ou d'autorisations équivalentes pour utiliser ces commandes.
Pour les commandes de développeur, voir la référence des commandes de développeur de l'OpenShift CLI.
Exécutez oc adm -h pour obtenir la liste de toutes les commandes de l'administrateur ou exécutez oc <command> --help pour obtenir des détails supplémentaires sur une commande spécifique.
2.8.1. Commandes de l'administrateur OpenShift CLI (oc)
2.8.1.1. oc adm build-chain
Produire les entrées et les dépendances de vos constructions
Exemple d'utilisation
# Build the dependency tree for the 'latest' tag in <image-stream> oc adm build-chain <image-stream> # Build the dependency tree for the 'v2' tag in dot format and visualize it via the dot utility oc adm build-chain <image-stream>:v2 -o dot | dot -T svg -o deps.svg # Build the dependency tree across all namespaces for the specified image stream tag found in the 'test' namespace oc adm build-chain <image-stream> -n test --all
2.8.1.2. oc adm catalogue mirror
Miroir d'un catalogue de registres d'opérateurs
Exemple d'utilisation
# Mirror an operator-registry image and its contents to a registry oc adm catalog mirror quay.io/my/image:latest myregistry.com # Mirror an operator-registry image and its contents to a particular namespace in a registry oc adm catalog mirror quay.io/my/image:latest myregistry.com/my-namespace # Mirror to an airgapped registry by first mirroring to files oc adm catalog mirror quay.io/my/image:latest file:///local/index oc adm catalog mirror file:///local/index/my/image:latest my-airgapped-registry.com # Configure a cluster to use a mirrored registry oc apply -f manifests/imageContentSourcePolicy.yaml # Edit the mirroring mappings and mirror with "oc image mirror" manually oc adm catalog mirror --manifests-only quay.io/my/image:latest myregistry.com oc image mirror -f manifests/mapping.txt # Delete all ImageContentSourcePolicies generated by oc adm catalog mirror oc delete imagecontentsourcepolicy -l operators.openshift.org/catalog=true
2.8.1.3. certificat oc adm approuver
Approuver une demande de signature de certificat
Exemple d'utilisation
# Approve CSR 'csr-sqgzp' oc adm certificate approve csr-sqgzp
2.8.1.4. oc adm certificat deny
Refuser une demande de signature de certificat
Exemple d'utilisation
# Deny CSR 'csr-sqgzp' oc adm certificate deny csr-sqgzp
2.8.1.5. oc adm cordon
Marquer le nœud comme non maîtrisable
Exemple d'utilisation
# Mark node "foo" as unschedulable oc adm cordon foo
2.8.1.6. oc adm create-bootstrap-project-template
Créer un modèle de projet bootstrap
Exemple d'utilisation
# Output a bootstrap project template in YAML format to stdout oc adm create-bootstrap-project-template -o yaml
2.8.1.7. oc adm create-error-template
Créer un modèle de page d'erreur
Exemple d'utilisation
# Output a template for the error page to stdout oc adm create-error-template
2.8.1.8. oc adm create-login-template
Créer un modèle de connexion
Exemple d'utilisation
# Output a template for the login page to stdout oc adm create-login-template
2.8.1.9. oc adm create-provider-selection-template (modèle de sélection du fournisseur)
Créer un modèle de sélection des fournisseurs
Exemple d'utilisation
# Output a template for the provider selection page to stdout oc adm create-provider-selection-template
2.8.1.10. oc adm drain
Drainage du nœud en vue de l'entretien
Exemple d'utilisation
# Drain node "foo", even if there are pods not managed by a replication controller, replica set, job, daemon set or stateful set on it oc adm drain foo --force # As above, but abort if there are pods not managed by a replication controller, replica set, job, daemon set or stateful set, and use a grace period of 15 minutes oc adm drain foo --grace-period=900
2.8.1.11. oc adm groups add-users
Ajouter des utilisateurs à un groupe
Exemple d'utilisation
# Add user1 and user2 to my-group oc adm groups add-users my-group user1 user2
2.8.1.12. oc adm groups new
Créer un nouveau groupe
Exemple d'utilisation
# Add a group with no users oc adm groups new my-group # Add a group with two users oc adm groups new my-group user1 user2 # Add a group with one user and shorter output oc adm groups new my-group user1 -o name
2.8.1.13. oc adm groups prune
Supprimer d'anciens groupes OpenShift référençant des enregistrements manquants d'un fournisseur externe
Exemple d'utilisation
# Prune all orphaned groups oc adm groups prune --sync-config=/path/to/ldap-sync-config.yaml --confirm # Prune all orphaned groups except the ones from the blacklist file oc adm groups prune --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm # Prune all orphaned groups from a list of specific groups specified in a whitelist file oc adm groups prune --whitelist=/path/to/whitelist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm # Prune all orphaned groups from a list of specific groups specified in a whitelist oc adm groups prune groups/group_name groups/other_name --sync-config=/path/to/ldap-sync-config.yaml --confirm
2.8.1.14. oc adm groups remove-users
Supprimer des utilisateurs d'un groupe
Exemple d'utilisation
# Remove user1 and user2 from my-group oc adm groups remove-users my-group user1 user2
2.8.1.15. oc adm groups sync
Synchroniser les groupes OpenShift avec les enregistrements d'un fournisseur externe
Exemple d'utilisation
# Sync all groups with an LDAP server oc adm groups sync --sync-config=/path/to/ldap-sync-config.yaml --confirm # Sync all groups except the ones from the blacklist file with an LDAP server oc adm groups sync --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm # Sync specific groups specified in a whitelist file with an LDAP server oc adm groups sync --whitelist=/path/to/whitelist.txt --sync-config=/path/to/sync-config.yaml --confirm # Sync all OpenShift groups that have been synced previously with an LDAP server oc adm groups sync --type=openshift --sync-config=/path/to/ldap-sync-config.yaml --confirm # Sync specific OpenShift groups if they have been synced previously with an LDAP server oc adm groups sync groups/group1 groups/group2 groups/group3 --sync-config=/path/to/sync-config.yaml --confirm
2.8.1.16. oc adm inspect
Collecte des données de débogage pour une ressource donnée
Exemple d'utilisation
# Collect debugging data for the "openshift-apiserver" clusteroperator oc adm inspect clusteroperator/openshift-apiserver # Collect debugging data for the "openshift-apiserver" and "kube-apiserver" clusteroperators oc adm inspect clusteroperator/openshift-apiserver clusteroperator/kube-apiserver # Collect debugging data for all clusteroperators oc adm inspect clusteroperator # Collect debugging data for all clusteroperators and clusterversions oc adm inspect clusteroperators,clusterversions
2.8.1.17. oc adm migrate template-instances
Mettre à jour les instances de modèles pour qu'elles pointent vers les derniers types de versions de groupes
Exemple d'utilisation
# Perform a dry-run of updating all objects oc adm migrate template-instances # To actually perform the update, the confirm flag must be appended oc adm migrate template-instances --confirm
2.8.1.18. oc adm must-gather
Lancer une nouvelle instance d'un pod pour recueillir des informations de débogage
Exemple d'utilisation
# Gather information using the default plug-in image and command, writing into ./must-gather.local.<rand> oc adm must-gather # Gather information with a specific local folder to copy to oc adm must-gather --dest-dir=/local/directory # Gather audit information oc adm must-gather -- /usr/bin/gather_audit_logs # Gather information using multiple plug-in images oc adm must-gather --image=quay.io/kubevirt/must-gather --image=quay.io/openshift/origin-must-gather # Gather information using a specific image stream plug-in oc adm must-gather --image-stream=openshift/must-gather:latest # Gather information using a specific image, command, and pod-dir oc adm must-gather --image=my/image:tag --source-dir=/pod/directory -- myspecial-command.sh
2.8.1.19. oc adm new-project
Créer un nouveau projet
Exemple d'utilisation
# Create a new project using a node selector oc adm new-project myproject --node-selector='type=user-node,region=east'
2.8.1.20. oc adm node-logs
Afficher et filtrer les journaux des nœuds
Exemple d'utilisation
# Show kubelet logs from all masters oc adm node-logs --role master -u kubelet # See what logs are available in masters in /var/logs oc adm node-logs --role master --path=/ # Display cron log file from all masters oc adm node-logs --role master --path=cron
2.8.1.21. oc adm pod-network isolate-projects
Isoler le réseau de projets
Exemple d'utilisation
# Provide isolation for project p1 oc adm pod-network isolate-projects <p1> # Allow all projects with label name=top-secret to have their own isolated project network oc adm pod-network isolate-projects --selector='name=top-secret'
2.8.1.22. oc adm pod-network join-projects
Rejoindre le réseau de projets
Exemple d'utilisation
# Allow project p2 to use project p1 network oc adm pod-network join-projects --to=<p1> <p2> # Allow all projects with label name=top-secret to use project p1 network oc adm pod-network join-projects --to=<p1> --selector='name=top-secret'
2.8.1.23. oc adm pod-network make-projects-global
Faire du réseau de projets un réseau mondial
Exemple d'utilisation
# Allow project p1 to access all pods in the cluster and vice versa oc adm pod-network make-projects-global <p1> # Allow all projects with label name=share to access all pods in the cluster and vice versa oc adm pod-network make-projects-global --selector='name=share'
2.8.1.24. oc adm policy add-role-to-user
Ajouter un rôle aux utilisateurs ou aux comptes de service pour le projet en cours
Exemple d'utilisation
# Add the 'view' role to user1 for the current project oc adm policy add-role-to-user view user1 # Add the 'edit' role to serviceaccount1 for the current project oc adm policy add-role-to-user edit -z serviceaccount1
2.8.1.25. oc adm policy add-scc-to-group
Ajouter une contrainte de contexte de sécurité aux groupes
Exemple d'utilisation
# Add the 'restricted' security context constraint to group1 and group2 oc adm policy add-scc-to-group restricted group1 group2
2.8.1.26. oc adm policy add-scc-to-user
Ajouter une contrainte de contexte de sécurité aux utilisateurs ou à un compte de service
Exemple d'utilisation
# Add the 'restricted' security context constraint to user1 and user2 oc adm policy add-scc-to-user restricted user1 user2 # Add the 'privileged' security context constraint to serviceaccount1 in the current namespace oc adm policy add-scc-to-user privileged -z serviceaccount1
2.8.1.27. oc adm policy scc-review
Vérifier quel compte de service peut créer un pod
Exemple d'utilisation
# Check whether service accounts sa1 and sa2 can admit a pod with a template pod spec specified in my_resource.yaml # Service Account specified in myresource.yaml file is ignored oc adm policy scc-review -z sa1,sa2 -f my_resource.yaml # Check whether service accounts system:serviceaccount:bob:default can admit a pod with a template pod spec specified in my_resource.yaml oc adm policy scc-review -z system:serviceaccount:bob:default -f my_resource.yaml # Check whether the service account specified in my_resource_with_sa.yaml can admit the pod oc adm policy scc-review -f my_resource_with_sa.yaml # Check whether the default service account can admit the pod; default is taken since no service account is defined in myresource_with_no_sa.yaml oc adm policy scc-review -f myresource_with_no_sa.yaml
2.8.1.28. politique de l'oc adm scc-subject-review
Vérifier si un utilisateur ou un compte de service peut créer un pod
Exemple d'utilisation
# Check whether user bob can create a pod specified in myresource.yaml oc adm policy scc-subject-review -u bob -f myresource.yaml # Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml oc adm policy scc-subject-review -u bob -g projectAdmin -f myresource.yaml # Check whether a service account specified in the pod template spec in myresourcewithsa.yaml can create the pod oc adm policy scc-subject-review -f myresourcewithsa.yaml
2.8.1.29. oc adm prune builds
Supprimer les anciennes constructions achevées et celles qui ont échoué
Exemple d'utilisation
# Dry run deleting older completed and failed builds and also including # all builds whose associated build config no longer exists oc adm prune builds --orphans # To actually perform the prune operation, the confirm flag must be appended oc adm prune builds --orphans --confirm
2.8.1.30. oc adm prune deployments
Suppression des anciennes configurations de déploiement terminées ou ayant échoué
Exemple d'utilisation
# Dry run deleting all but the last complete deployment for every deployment config oc adm prune deployments --keep-complete=1 # To actually perform the prune operation, the confirm flag must be appended oc adm prune deployments --keep-complete=1 --confirm
2.8.1.31. oc adm prune groups
Supprimer d'anciens groupes OpenShift référençant des enregistrements manquants d'un fournisseur externe
Exemple d'utilisation
# Prune all orphaned groups oc adm prune groups --sync-config=/path/to/ldap-sync-config.yaml --confirm # Prune all orphaned groups except the ones from the blacklist file oc adm prune groups --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm # Prune all orphaned groups from a list of specific groups specified in a whitelist file oc adm prune groups --whitelist=/path/to/whitelist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm # Prune all orphaned groups from a list of specific groups specified in a whitelist oc adm prune groups groups/group_name groups/other_name --sync-config=/path/to/ldap-sync-config.yaml --confirm
2.8.1.32. oc adm prune images
Supprimer les images non référencées
Exemple d'utilisation
# See what the prune command would delete if only images and their referrers were more than an hour old
# and obsoleted by 3 newer revisions under the same tag were considered
oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m
# To actually perform the prune operation, the confirm flag must be appended
oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m --confirm
# See what the prune command would delete if we are interested in removing images
# exceeding currently set limit ranges ('openshift.io/Image')
oc adm prune images --prune-over-size-limit
# To actually perform the prune operation, the confirm flag must be appended
oc adm prune images --prune-over-size-limit --confirm
# Force the insecure http protocol with the particular registry host name
oc adm prune images --registry-url=http://registry.example.org --confirm
# Force a secure connection with a custom certificate authority to the particular registry host name
oc adm prune images --registry-url=registry.example.org --certificate-authority=/path/to/custom/ca.crt --confirm
2.8.1.33. oc adm release extract
Extraire le contenu d'une charge utile de mise à jour sur le disque
Exemple d'utilisation
# Use git to check out the source code for the current cluster release to DIR oc adm release extract --git=DIR # Extract cloud credential requests for AWS oc adm release extract --credentials-requests --cloud=aws # Use git to check out the source code for the current cluster release to DIR from linux/s390x image # Note: Wildcard filter is not supported. Pass a single os/arch to extract oc adm release extract --git=DIR quay.io/openshift-release-dev/ocp-release:4.2.2 --filter-by-os=linux/s390x
2.8.1.34. oc adm release info
Afficher des informations sur une version
Exemple d'utilisation
# Show information about the cluster's current release oc adm release info # Show the source code that comprises a release oc adm release info 4.2.2 --commit-urls # Show the source code difference between two releases oc adm release info 4.2.0 4.2.2 --commits # Show where the images referenced by the release are located oc adm release info quay.io/openshift-release-dev/ocp-release:4.2.2 --pullspecs # Show information about linux/s390x image # Note: Wildcard filter is not supported. Pass a single os/arch to extract oc adm release info quay.io/openshift-release-dev/ocp-release:4.2.2 --filter-by-os=linux/s390x
2.8.1.35. oc adm release mirror
Miroir d'une version vers un autre emplacement du registre d'images
Exemple d'utilisation
# Perform a dry run showing what would be mirrored, including the mirror objects oc adm release mirror 4.3.0 --to myregistry.local/openshift/release \ --release-image-signature-to-dir /tmp/releases --dry-run # Mirror a release into the current directory oc adm release mirror 4.3.0 --to file://openshift/release \ --release-image-signature-to-dir /tmp/releases # Mirror a release to another directory in the default location oc adm release mirror 4.3.0 --to-dir /tmp/releases # Upload a release from the current directory to another server oc adm release mirror --from file://openshift/release --to myregistry.com/openshift/release \ --release-image-signature-to-dir /tmp/releases # Mirror the 4.3.0 release to repository registry.example.com and apply signatures to connected cluster oc adm release mirror --from=quay.io/openshift-release-dev/ocp-release:4.3.0-x86_64 \ --to=registry.example.com/your/repository --apply-release-image-signature
2.8.1.36. oc adm release new
Créer une nouvelle version d'OpenShift
Exemple d'utilisation
# Create a release from the latest origin images and push to a DockerHub repo oc adm release new --from-image-stream=4.1 -n origin --to-image docker.io/mycompany/myrepo:latest # Create a new release with updated metadata from a previous release oc adm release new --from-release registry.svc.ci.openshift.org/origin/release:v4.1 --name 4.1.1 \ --previous 4.1.0 --metadata ... --to-image docker.io/mycompany/myrepo:latest # Create a new release and override a single image oc adm release new --from-release registry.svc.ci.openshift.org/origin/release:v4.1 \ cli=docker.io/mycompany/cli:latest --to-image docker.io/mycompany/myrepo:latest # Run a verification pass to ensure the release can be reproduced oc adm release new --from-release registry.svc.ci.openshift.org/origin/release:v4.1
2.8.1.37. oc adm taint
Mise à jour des taches sur un ou plusieurs nœuds
Exemple d'utilisation
# Update node 'foo' with a taint with key 'dedicated' and value 'special-user' and effect 'NoSchedule' # If a taint with that key and effect already exists, its value is replaced as specified oc adm taint nodes foo dedicated=special-user:NoSchedule # Remove from node 'foo' the taint with key 'dedicated' and effect 'NoSchedule' if one exists oc adm taint nodes foo dedicated:NoSchedule- # Remove from node 'foo' all the taints with key 'dedicated' oc adm taint nodes foo dedicated- # Add a taint with key 'dedicated' on nodes having label mylabel=X oc adm taint node -l myLabel=X dedicated=foo:PreferNoSchedule # Add to node 'foo' a taint with key 'bar' and no value oc adm taint nodes foo bar:NoSchedule
2.8.1.38. oc adm top images
Afficher les statistiques d'utilisation des images
Exemple d'utilisation
# Show usage statistics for images oc adm top images
2.8.1.39. oc adm top imagestreams
Afficher les statistiques d'utilisation des flux d'images
Exemple d'utilisation
# Show usage statistics for image streams oc adm top imagestreams
2.8.1.40. oc adm top node
Affichage de l'utilisation des ressources (CPU/mémoire) des nœuds
Exemple d'utilisation
# Show metrics for all nodes oc adm top node # Show metrics for a given node oc adm top node NODE_NAME
2.8.1.41. oc adm top pod
Afficher l'utilisation des ressources (CPU/mémoire) des pods
Exemple d'utilisation
# Show metrics for all pods in the default namespace oc adm top pod # Show metrics for all pods in the given namespace oc adm top pod --namespace=NAMESPACE # Show metrics for a given pod and its containers oc adm top pod POD_NAME --containers # Show metrics for the pods defined by label name=myLabel oc adm top pod -l name=myLabel
2.8.1.42. oc adm uncordon
Marquer le nœud comme planifiable
Exemple d'utilisation
# Mark node "foo" as schedulable oc adm uncordon foo
2.8.1.43. oc adm upgrade
Mettre à niveau un cluster ou ajuster le canal de mise à niveau
Exemple d'utilisation
# Review the available cluster updates oc adm upgrade # Update to the latest version oc adm upgrade --to-latest=true
2.8.1.44. oc adm verify-image-signature
Vérifier l'identité de l'image contenue dans la signature de l'image
Exemple d'utilisation
# Verify the image signature and identity using the local GPG keychain oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \ --expected-identity=registry.local:5000/foo/bar:v1 # Verify the image signature and identity using the local GPG keychain and save the status oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \ --expected-identity=registry.local:5000/foo/bar:v1 --save # Verify the image signature and identity via exposed registry route oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \ --expected-identity=registry.local:5000/foo/bar:v1 \ --registry-url=docker-registry.foo.com # Remove all signature verifications from the image oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 --remove-all
