Red Hat Summit2.8. Référence des commandes de l'administrateur de la CLI d'OpenShift
Cette référence fournit des descriptions et des exemples de commandes pour les commandes administrateur de l'OpenShift CLI (oc). Vous devez disposer de cluster-admin ou d'autorisations équivalentes pour utiliser ces commandes.
Pour les commandes de développeur, voir la référence des commandes de développeur de l'OpenShift CLI.
Exécutez oc adm -h pour obtenir la liste de toutes les commandes de l'administrateur ou exécutez oc <command> --help pour obtenir des détails supplémentaires sur une commande spécifique.
2.8.1. Commandes de l'administrateur OpenShift CLI (oc)
2.8.1.1. oc adm build-chain
Produire les entrées et les dépendances de vos constructions
Exemple d'utilisation
# Build the dependency tree for the 'latest' tag in <image-stream>
oc adm build-chain <image-stream>
# Build the dependency tree for the 'v2' tag in dot format and visualize it via the dot utility
oc adm build-chain <image-stream>:v2 -o dot | dot -T svg -o deps.svg
# Build the dependency tree across all namespaces for the specified image stream tag found in the 'test' namespace
oc adm build-chain <image-stream> -n test --all2.8.1.2. oc adm catalogue mirror
Miroir d'un catalogue de registres d'opérateurs
Exemple d'utilisation
# Mirror an operator-registry image and its contents to a registry
oc adm catalog mirror quay.io/my/image:latest myregistry.com
# Mirror an operator-registry image and its contents to a particular namespace in a registry
oc adm catalog mirror quay.io/my/image:latest myregistry.com/my-namespace
# Mirror to an airgapped registry by first mirroring to files
oc adm catalog mirror quay.io/my/image:latest file:///local/index
oc adm catalog mirror file:///local/index/my/image:latest my-airgapped-registry.com
# Configure a cluster to use a mirrored registry
oc apply -f manifests/imageContentSourcePolicy.yaml
# Edit the mirroring mappings and mirror with "oc image mirror" manually
oc adm catalog mirror --manifests-only quay.io/my/image:latest myregistry.com
oc image mirror -f manifests/mapping.txt
# Delete all ImageContentSourcePolicies generated by oc adm catalog mirror
oc delete imagecontentsourcepolicy -l operators.openshift.org/catalog=true2.8.1.3. certificat oc adm approuver
Approuver une demande de signature de certificat
Exemple d'utilisation
# Approve CSR 'csr-sqgzp'
oc adm certificate approve csr-sqgzp2.8.1.4. oc adm certificat deny
Refuser une demande de signature de certificat
Exemple d'utilisation
# Deny CSR 'csr-sqgzp'
oc adm certificate deny csr-sqgzp2.8.1.5. oc adm cordon
Marquer le nœud comme non maîtrisable
Exemple d'utilisation
# Mark node "foo" as unschedulable
oc adm cordon foo2.8.1.6. oc adm create-bootstrap-project-template
Créer un modèle de projet bootstrap
Exemple d'utilisation
# Output a bootstrap project template in YAML format to stdout
oc adm create-bootstrap-project-template -o yaml2.8.1.7. oc adm create-error-template
Créer un modèle de page d'erreur
Exemple d'utilisation
# Output a template for the error page to stdout
oc adm create-error-template2.8.1.8. oc adm create-login-template
Créer un modèle de connexion
Exemple d'utilisation
# Output a template for the login page to stdout
oc adm create-login-template2.8.1.9. oc adm create-provider-selection-template (modèle de sélection du fournisseur)
Créer un modèle de sélection des fournisseurs
Exemple d'utilisation
# Output a template for the provider selection page to stdout
oc adm create-provider-selection-template2.8.1.10. oc adm drain
Drainage du nœud en vue de l'entretien
Exemple d'utilisation
# Drain node "foo", even if there are pods not managed by a replication controller, replica set, job, daemon set or stateful set on it
oc adm drain foo --force
# As above, but abort if there are pods not managed by a replication controller, replica set, job, daemon set or stateful set, and use a grace period of 15 minutes
oc adm drain foo --grace-period=9002.8.1.11. oc adm groups add-users
Ajouter des utilisateurs à un groupe
Exemple d'utilisation
# Add user1 and user2 to my-group
oc adm groups add-users my-group user1 user22.8.1.12. oc adm groups new
Créer un nouveau groupe
Exemple d'utilisation
# Add a group with no users
oc adm groups new my-group
# Add a group with two users
oc adm groups new my-group user1 user2
# Add a group with one user and shorter output
oc adm groups new my-group user1 -o name2.8.1.13. oc adm groups prune
Supprimer d'anciens groupes OpenShift référençant des enregistrements manquants d'un fournisseur externe
Exemple d'utilisation
# Prune all orphaned groups
oc adm groups prune --sync-config=/path/to/ldap-sync-config.yaml --confirm
# Prune all orphaned groups except the ones from the blacklist file
oc adm groups prune --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
# Prune all orphaned groups from a list of specific groups specified in a whitelist file
oc adm groups prune --whitelist=/path/to/whitelist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
# Prune all orphaned groups from a list of specific groups specified in a whitelist
oc adm groups prune groups/group_name groups/other_name --sync-config=/path/to/ldap-sync-config.yaml --confirm2.8.1.14. oc adm groups remove-users
Supprimer des utilisateurs d'un groupe
Exemple d'utilisation
# Remove user1 and user2 from my-group
oc adm groups remove-users my-group user1 user22.8.1.15. oc adm groups sync
Synchroniser les groupes OpenShift avec les enregistrements d'un fournisseur externe
Exemple d'utilisation
# Sync all groups with an LDAP server
oc adm groups sync --sync-config=/path/to/ldap-sync-config.yaml --confirm
# Sync all groups except the ones from the blacklist file with an LDAP server
oc adm groups sync --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
# Sync specific groups specified in a whitelist file with an LDAP server
oc adm groups sync --whitelist=/path/to/whitelist.txt --sync-config=/path/to/sync-config.yaml --confirm
# Sync all OpenShift groups that have been synced previously with an LDAP server
oc adm groups sync --type=openshift --sync-config=/path/to/ldap-sync-config.yaml --confirm
# Sync specific OpenShift groups if they have been synced previously with an LDAP server
oc adm groups sync groups/group1 groups/group2 groups/group3 --sync-config=/path/to/sync-config.yaml --confirm2.8.1.16. oc adm inspect
Collecte des données de débogage pour une ressource donnée
Exemple d'utilisation
# Collect debugging data for the "openshift-apiserver" clusteroperator
oc adm inspect clusteroperator/openshift-apiserver
# Collect debugging data for the "openshift-apiserver" and "kube-apiserver" clusteroperators
oc adm inspect clusteroperator/openshift-apiserver clusteroperator/kube-apiserver
# Collect debugging data for all clusteroperators
oc adm inspect clusteroperator
# Collect debugging data for all clusteroperators and clusterversions
oc adm inspect clusteroperators,clusterversions2.8.1.17. oc adm migrate template-instances
Mettre à jour les instances de modèles pour qu'elles pointent vers les derniers types de versions de groupes
Exemple d'utilisation
# Perform a dry-run of updating all objects
oc adm migrate template-instances
# To actually perform the update, the confirm flag must be appended
oc adm migrate template-instances --confirm2.8.1.18. oc adm must-gather
Lancer une nouvelle instance d'un pod pour recueillir des informations de débogage
Exemple d'utilisation
# Gather information using the default plug-in image and command, writing into ./must-gather.local.<rand>
oc adm must-gather
# Gather information with a specific local folder to copy to
oc adm must-gather --dest-dir=/local/directory
# Gather audit information
oc adm must-gather -- /usr/bin/gather_audit_logs
# Gather information using multiple plug-in images
oc adm must-gather --image=quay.io/kubevirt/must-gather --image=quay.io/openshift/origin-must-gather
# Gather information using a specific image stream plug-in
oc adm must-gather --image-stream=openshift/must-gather:latest
# Gather information using a specific image, command, and pod-dir
oc adm must-gather --image=my/image:tag --source-dir=/pod/directory -- myspecial-command.sh2.8.1.19. oc adm new-project
Créer un nouveau projet
Exemple d'utilisation
# Create a new project using a node selector
oc adm new-project myproject --node-selector='type=user-node,region=east'2.8.1.20. oc adm node-logs
Afficher et filtrer les journaux des nœuds
Exemple d'utilisation
# Show kubelet logs from all masters
oc adm node-logs --role master -u kubelet
# See what logs are available in masters in /var/logs
oc adm node-logs --role master --path=/
# Display cron log file from all masters
oc adm node-logs --role master --path=cron2.8.1.21. oc adm pod-network isolate-projects
Isoler le réseau de projets
Exemple d'utilisation
# Provide isolation for project p1
oc adm pod-network isolate-projects <p1>
# Allow all projects with label name=top-secret to have their own isolated project network
oc adm pod-network isolate-projects --selector='name=top-secret'2.8.1.22. oc adm pod-network join-projects
Rejoindre le réseau de projets
Exemple d'utilisation
# Allow project p2 to use project p1 network
oc adm pod-network join-projects --to=<p1> <p2>
# Allow all projects with label name=top-secret to use project p1 network
oc adm pod-network join-projects --to=<p1> --selector='name=top-secret'2.8.1.23. oc adm pod-network make-projects-global
Faire du réseau de projets un réseau mondial
Exemple d'utilisation
# Allow project p1 to access all pods in the cluster and vice versa
oc adm pod-network make-projects-global <p1>
# Allow all projects with label name=share to access all pods in the cluster and vice versa
oc adm pod-network make-projects-global --selector='name=share'2.8.1.24. oc adm policy add-role-to-user
Ajouter un rôle aux utilisateurs ou aux comptes de service pour le projet en cours
Exemple d'utilisation
# Add the 'view' role to user1 for the current project
oc adm policy add-role-to-user view user1
# Add the 'edit' role to serviceaccount1 for the current project
oc adm policy add-role-to-user edit -z serviceaccount12.8.1.25. oc adm policy add-scc-to-group
Ajouter une contrainte de contexte de sécurité aux groupes
Exemple d'utilisation
# Add the 'restricted' security context constraint to group1 and group2
oc adm policy add-scc-to-group restricted group1 group22.8.1.26. oc adm policy add-scc-to-user
Ajouter une contrainte de contexte de sécurité aux utilisateurs ou à un compte de service
Exemple d'utilisation
# Add the 'restricted' security context constraint to user1 and user2
oc adm policy add-scc-to-user restricted user1 user2
# Add the 'privileged' security context constraint to serviceaccount1 in the current namespace
oc adm policy add-scc-to-user privileged -z serviceaccount12.8.1.27. oc adm policy scc-review
Vérifier quel compte de service peut créer un pod
Exemple d'utilisation
# Check whether service accounts sa1 and sa2 can admit a pod with a template pod spec specified in my_resource.yaml
# Service Account specified in myresource.yaml file is ignored
oc adm policy scc-review -z sa1,sa2 -f my_resource.yaml
# Check whether service accounts system:serviceaccount:bob:default can admit a pod with a template pod spec specified in my_resource.yaml
oc adm policy scc-review -z system:serviceaccount:bob:default -f my_resource.yaml
# Check whether the service account specified in my_resource_with_sa.yaml can admit the pod
oc adm policy scc-review -f my_resource_with_sa.yaml
# Check whether the default service account can admit the pod; default is taken since no service account is defined in myresource_with_no_sa.yaml
oc adm policy scc-review -f myresource_with_no_sa.yaml2.8.1.28. politique de l'oc adm scc-subject-review
Vérifier si un utilisateur ou un compte de service peut créer un pod
Exemple d'utilisation
# Check whether user bob can create a pod specified in myresource.yaml
oc adm policy scc-subject-review -u bob -f myresource.yaml
# Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml
oc adm policy scc-subject-review -u bob -g projectAdmin -f myresource.yaml
# Check whether a service account specified in the pod template spec in myresourcewithsa.yaml can create the pod
oc adm policy scc-subject-review -f myresourcewithsa.yaml2.8.1.29. oc adm prune builds
Supprimer les anciennes constructions achevées et celles qui ont échoué
Exemple d'utilisation
# Dry run deleting older completed and failed builds and also including
# all builds whose associated build config no longer exists
oc adm prune builds --orphans
# To actually perform the prune operation, the confirm flag must be appended
oc adm prune builds --orphans --confirm2.8.1.30. oc adm prune deployments
Suppression des anciennes configurations de déploiement terminées ou ayant échoué
Exemple d'utilisation
# Dry run deleting all but the last complete deployment for every deployment config
oc adm prune deployments --keep-complete=1
# To actually perform the prune operation, the confirm flag must be appended
oc adm prune deployments --keep-complete=1 --confirm2.8.1.31. oc adm prune groups
Supprimer d'anciens groupes OpenShift référençant des enregistrements manquants d'un fournisseur externe
Exemple d'utilisation
# Prune all orphaned groups
oc adm prune groups --sync-config=/path/to/ldap-sync-config.yaml --confirm
# Prune all orphaned groups except the ones from the blacklist file
oc adm prune groups --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
# Prune all orphaned groups from a list of specific groups specified in a whitelist file
oc adm prune groups --whitelist=/path/to/whitelist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
# Prune all orphaned groups from a list of specific groups specified in a whitelist
oc adm prune groups groups/group_name groups/other_name --sync-config=/path/to/ldap-sync-config.yaml --confirm2.8.1.32. oc adm prune images
Supprimer les images non référencées
Exemple d'utilisation
# See what the prune command would delete if only images and their referrers were more than an hour old
# and obsoleted by 3 newer revisions under the same tag were considered
oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m
# To actually perform the prune operation, the confirm flag must be appended
oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m --confirm
# See what the prune command would delete if we are interested in removing images
# exceeding currently set limit ranges ('openshift.io/Image')
oc adm prune images --prune-over-size-limit
# To actually perform the prune operation, the confirm flag must be appended
oc adm prune images --prune-over-size-limit --confirm
# Force the insecure http protocol with the particular registry host name
oc adm prune images --registry-url=http://registry.example.org --confirm
# Force a secure connection with a custom certificate authority to the particular registry host name
oc adm prune images --registry-url=registry.example.org --certificate-authority=/path/to/custom/ca.crt --confirm2.8.1.33. oc adm release extract
Extraire le contenu d'une charge utile de mise à jour sur le disque
Exemple d'utilisation
# Use git to check out the source code for the current cluster release to DIR
oc adm release extract --git=DIR
# Extract cloud credential requests for AWS
oc adm release extract --credentials-requests --cloud=aws
# Use git to check out the source code for the current cluster release to DIR from linux/s390x image
# Note: Wildcard filter is not supported. Pass a single os/arch to extract
oc adm release extract --git=DIR quay.io/openshift-release-dev/ocp-release:4.2.2 --filter-by-os=linux/s390x2.8.1.34. oc adm release info
Afficher des informations sur une version
Exemple d'utilisation
# Show information about the cluster's current release
oc adm release info
# Show the source code that comprises a release
oc adm release info 4.2.2 --commit-urls
# Show the source code difference between two releases
oc adm release info 4.2.0 4.2.2 --commits
# Show where the images referenced by the release are located
oc adm release info quay.io/openshift-release-dev/ocp-release:4.2.2 --pullspecs
# Show information about linux/s390x image
# Note: Wildcard filter is not supported. Pass a single os/arch to extract
oc adm release info quay.io/openshift-release-dev/ocp-release:4.2.2 --filter-by-os=linux/s390x2.8.1.35. oc adm release mirror
Miroir d'une version vers un autre emplacement du registre d'images
Exemple d'utilisation
# Perform a dry run showing what would be mirrored, including the mirror objects
oc adm release mirror 4.3.0 --to myregistry.local/openshift/release \
--release-image-signature-to-dir /tmp/releases --dry-run
# Mirror a release into the current directory
oc adm release mirror 4.3.0 --to file://openshift/release \
--release-image-signature-to-dir /tmp/releases
# Mirror a release to another directory in the default location
oc adm release mirror 4.3.0 --to-dir /tmp/releases
# Upload a release from the current directory to another server
oc adm release mirror --from file://openshift/release --to myregistry.com/openshift/release \
--release-image-signature-to-dir /tmp/releases
# Mirror the 4.3.0 release to repository registry.example.com and apply signatures to connected cluster
oc adm release mirror --from=quay.io/openshift-release-dev/ocp-release:4.3.0-x86_64 \
--to=registry.example.com/your/repository --apply-release-image-signature2.8.1.36. oc adm release new
Créer une nouvelle version d'OpenShift
Exemple d'utilisation
# Create a release from the latest origin images and push to a DockerHub repo
oc adm release new --from-image-stream=4.1 -n origin --to-image docker.io/mycompany/myrepo:latest
# Create a new release with updated metadata from a previous release
oc adm release new --from-release registry.svc.ci.openshift.org/origin/release:v4.1 --name 4.1.1 \
--previous 4.1.0 --metadata ... --to-image docker.io/mycompany/myrepo:latest
# Create a new release and override a single image
oc adm release new --from-release registry.svc.ci.openshift.org/origin/release:v4.1 \
cli=docker.io/mycompany/cli:latest --to-image docker.io/mycompany/myrepo:latest
# Run a verification pass to ensure the release can be reproduced
oc adm release new --from-release registry.svc.ci.openshift.org/origin/release:v4.12.8.1.37. oc adm taint
Mise à jour des taches sur un ou plusieurs nœuds
Exemple d'utilisation
# Update node 'foo' with a taint with key 'dedicated' and value 'special-user' and effect 'NoSchedule'
# If a taint with that key and effect already exists, its value is replaced as specified
oc adm taint nodes foo dedicated=special-user:NoSchedule
# Remove from node 'foo' the taint with key 'dedicated' and effect 'NoSchedule' if one exists
oc adm taint nodes foo dedicated:NoSchedule-
# Remove from node 'foo' all the taints with key 'dedicated'
oc adm taint nodes foo dedicated-
# Add a taint with key 'dedicated' on nodes having label mylabel=X
oc adm taint node -l myLabel=X dedicated=foo:PreferNoSchedule
# Add to node 'foo' a taint with key 'bar' and no value
oc adm taint nodes foo bar:NoSchedule2.8.1.38. oc adm top images
Afficher les statistiques d'utilisation des images
Exemple d'utilisation
# Show usage statistics for images
oc adm top images2.8.1.39. oc adm top imagestreams
Afficher les statistiques d'utilisation des flux d'images
Exemple d'utilisation
# Show usage statistics for image streams
oc adm top imagestreams2.8.1.40. oc adm top node
Affichage de l'utilisation des ressources (CPU/mémoire) des nœuds
Exemple d'utilisation
# Show metrics for all nodes
oc adm top node
# Show metrics for a given node
oc adm top node NODE_NAME2.8.1.41. oc adm top pod
Afficher l'utilisation des ressources (CPU/mémoire) des pods
Exemple d'utilisation
# Show metrics for all pods in the default namespace
oc adm top pod
# Show metrics for all pods in the given namespace
oc adm top pod --namespace=NAMESPACE
# Show metrics for a given pod and its containers
oc adm top pod POD_NAME --containers
# Show metrics for the pods defined by label name=myLabel
oc adm top pod -l name=myLabel2.8.1.42. oc adm uncordon
Marquer le nœud comme planifiable
Exemple d'utilisation
# Mark node "foo" as schedulable
oc adm uncordon foo2.8.1.43. oc adm upgrade
Mettre à niveau un cluster ou ajuster le canal de mise à niveau
Exemple d'utilisation
# Review the available cluster updates
oc adm upgrade
# Update to the latest version
oc adm upgrade --to-latest=true2.8.1.44. oc adm verify-image-signature
Vérifier l'identité de l'image contenue dans la signature de l'image
Exemple d'utilisation
# Verify the image signature and identity using the local GPG keychain
oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
--expected-identity=registry.local:5000/foo/bar:v1
# Verify the image signature and identity using the local GPG keychain and save the status
oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
--expected-identity=registry.local:5000/foo/bar:v1 --save
# Verify the image signature and identity via exposed registry route
oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
--expected-identity=registry.local:5000/foo/bar:v1 \
--registry-url=docker-registry.foo.com
# Remove all signature verifications from the image
oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 --remove-all
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}