2.8. OpenShift CLI 관리자 명령 참조
이 참조는 OpenShift CLI (oc
) 관리자 명령에 대한 설명 및 예제 명령을 제공합니다. 이러한 명령을 사용하려면 cluster-admin
또는 이와 동등한 권한이 있어야 합니다.
개발자 명령의 경우 OpenShift CLI 개발자 명령 참조를 참조하십시오.
oc adm -h
를 실행하여 모든 관리자 명령을 나열하거나 oc <command> --help
를 실행하여 특정 명령에 대한 추가 세부 정보를 가져옵니다.
2.8.1. OpenShift CLI (oc) 관리자 명령
2.8.1.1. oc adm build-chain
빌드의 입력 및 종속 항목을 출력
사용 예
# Build the dependency tree for the 'latest' tag in <image-stream> oc adm build-chain <image-stream> # Build the dependency tree for the 'v2' tag in dot format and visualize it via the dot utility oc adm build-chain <image-stream>:v2 -o dot | dot -T svg -o deps.svg # Build the dependency tree across all namespaces for the specified image stream tag found in the 'test' namespace oc adm build-chain <image-stream> -n test --all
2.8.1.2. oc adm catalog mirror
operator-registry 카탈로그 미러링
사용 예
# Mirror an operator-registry image and its contents to a registry oc adm catalog mirror quay.io/my/image:latest myregistry.com # Mirror an operator-registry image and its contents to a particular namespace in a registry oc adm catalog mirror quay.io/my/image:latest myregistry.com/my-namespace # Mirror to an airgapped registry by first mirroring to files oc adm catalog mirror quay.io/my/image:latest file:///local/index oc adm catalog mirror file:///local/index/my/image:latest my-airgapped-registry.com # Configure a cluster to use a mirrored registry oc apply -f manifests/imageContentSourcePolicy.yaml # Edit the mirroring mappings and mirror with "oc image mirror" manually oc adm catalog mirror --manifests-only quay.io/my/image:latest myregistry.com oc image mirror -f manifests/mapping.txt # Delete all ImageContentSourcePolicies generated by oc adm catalog mirror oc delete imagecontentsourcepolicy -l operators.openshift.org/catalog=true
2.8.1.3. oc adm certificate approve
인증서 서명 요청 승인
사용 예
# Approve CSR 'csr-sqgzp' oc adm certificate approve csr-sqgzp
2.8.1.4. oc adm certificate deny
인증서 서명 요청 거부
사용 예
# Deny CSR 'csr-sqgzp' oc adm certificate deny csr-sqgzp
2.8.1.5. oc adm cordon
노드를 예약 불가로 표시
사용 예
# Mark node "foo" as unschedulable oc adm cordon foo
2.8.1.6. oc adm create-bootstrap-project-template
부트스트랩 프로젝트 템플릿을 생성
사용 예
# Output a bootstrap project template in YAML format to stdout oc adm create-bootstrap-project-template -o yaml
2.8.1.7. oc adm create-error-template
오류 페이지 템플릿 생성
사용 예
# Output a template for the error page to stdout oc adm create-error-template
2.8.1.8. oc adm create-login-template
로그인 템플릿 생성
사용 예
# Output a template for the login page to stdout oc adm create-login-template
2.8.1.9. oc adm create-provider-selection-template
공급자 선택 템플릿 생성
사용 예
# Output a template for the provider selection page to stdout oc adm create-provider-selection-template
2.8.1.10. oc adm drain
유지 관리를 위해 노드를 드레이닝
사용 예
# Drain node "foo", even if there are pods not managed by a replication controller, replica set, job, daemon set or stateful set on it oc adm drain foo --force # As above, but abort if there are pods not managed by a replication controller, replica set, job, daemon set or stateful set, and use a grace period of 15 minutes oc adm drain foo --grace-period=900
2.8.1.11. oc adm groups add-users
그룹에 사용자 추가
사용 예
# Add user1 and user2 to my-group oc adm groups add-users my-group user1 user2
2.8.1.12. oc adm groups new
새 그룹 생성
사용 예
# Add a group with no users oc adm groups new my-group # Add a group with two users oc adm groups new my-group user1 user2 # Add a group with one user and shorter output oc adm groups new my-group user1 -o name
2.8.1.13. oc adm groups prune
외부 공급자에서 누락된 레코드를 참조하는 이전 OpenShift 그룹 제거
사용 예
# Prune all orphaned groups oc adm groups prune --sync-config=/path/to/ldap-sync-config.yaml --confirm # Prune all orphaned groups except the ones from the blacklist file oc adm groups prune --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm # Prune all orphaned groups from a list of specific groups specified in a whitelist file oc adm groups prune --whitelist=/path/to/whitelist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm # Prune all orphaned groups from a list of specific groups specified in a whitelist oc adm groups prune groups/group_name groups/other_name --sync-config=/path/to/ldap-sync-config.yaml --confirm
2.8.1.14. oc adm groups remove-users
그룹에서 사용자 제거
사용 예
# Remove user1 and user2 from my-group oc adm groups remove-users my-group user1 user2
2.8.1.15. oc adm groups sync
외부 공급자에서 레코드와 OpenShift 그룹 동기화
사용 예
# Sync all groups with an LDAP server oc adm groups sync --sync-config=/path/to/ldap-sync-config.yaml --confirm # Sync all groups except the ones from the blacklist file with an LDAP server oc adm groups sync --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm # Sync specific groups specified in a whitelist file with an LDAP server oc adm groups sync --whitelist=/path/to/whitelist.txt --sync-config=/path/to/sync-config.yaml --confirm # Sync all OpenShift groups that have been synced previously with an LDAP server oc adm groups sync --type=openshift --sync-config=/path/to/ldap-sync-config.yaml --confirm # Sync specific OpenShift groups if they have been synced previously with an LDAP server oc adm groups sync groups/group1 groups/group2 groups/group3 --sync-config=/path/to/sync-config.yaml --confirm
2.8.1.16. oc adm inspect
지정된 리소스에 대한 디버깅 데이터 수집
사용 예
# Collect debugging data for the "openshift-apiserver" clusteroperator oc adm inspect clusteroperator/openshift-apiserver # Collect debugging data for the "openshift-apiserver" and "kube-apiserver" clusteroperators oc adm inspect clusteroperator/openshift-apiserver clusteroperator/kube-apiserver # Collect debugging data for all clusteroperators oc adm inspect clusteroperator # Collect debugging data for all clusteroperators and clusterversions oc adm inspect clusteroperators,clusterversions
2.8.1.17. oc adm migrate template-instances
최신 group-version-kinds를 가리키도록 템플릿 인스턴스를 업데이트
사용 예
# Perform a dry-run of updating all objects oc adm migrate template-instances # To actually perform the update, the confirm flag must be appended oc adm migrate template-instances --confirm
2.8.1.18. oc adm must-gather
디버그 정보 수집을 위해 Pod의 새 인스턴스를 시작
사용 예
# Gather information using the default plug-in image and command, writing into ./must-gather.local.<rand> oc adm must-gather # Gather information with a specific local folder to copy to oc adm must-gather --dest-dir=/local/directory # Gather audit information oc adm must-gather -- /usr/bin/gather_audit_logs # Gather information using multiple plug-in images oc adm must-gather --image=quay.io/kubevirt/must-gather --image=quay.io/openshift/origin-must-gather # Gather information using a specific image stream plug-in oc adm must-gather --image-stream=openshift/must-gather:latest # Gather information using a specific image, command, and pod-dir oc adm must-gather --image=my/image:tag --source-dir=/pod/directory -- myspecial-command.sh
2.8.1.19. oc adm new-project
새 프로젝트 생성
사용 예
# Create a new project using a node selector oc adm new-project myproject --node-selector='type=user-node,region=east'
2.8.1.20. oc adm node-logs
노드 로그를 표시하고 필터링
사용 예
# Show kubelet logs from all masters oc adm node-logs --role master -u kubelet # See what logs are available in masters in /var/logs oc adm node-logs --role master --path=/ # Display cron log file from all masters oc adm node-logs --role master --path=cron
2.8.1.21. oc adm pod-network isolate-projects
프로젝트 네트워크 격리
사용 예
# Provide isolation for project p1 oc adm pod-network isolate-projects <p1> # Allow all projects with label name=top-secret to have their own isolated project network oc adm pod-network isolate-projects --selector='name=top-secret'
2.8.1.22. oc adm pod-network join-projects
프로젝트 네트워크 참여
사용 예
# Allow project p2 to use project p1 network oc adm pod-network join-projects --to=<p1> <p2> # Allow all projects with label name=top-secret to use project p1 network oc adm pod-network join-projects --to=<p1> --selector='name=top-secret'
2.8.1.23. oc adm pod-network make-projects-global
프로젝트 네트워크 글로벌 만들기
사용 예
# Allow project p1 to access all pods in the cluster and vice versa oc adm pod-network make-projects-global <p1> # Allow all projects with label name=share to access all pods in the cluster and vice versa oc adm pod-network make-projects-global --selector='name=share'
2.8.1.24. oc adm policy add-role-to-user
현재 프로젝트의 사용자 또는 서비스 계정에 역할을 추가
사용 예
# Add the 'view' role to user1 for the current project oc adm policy add-role-to-user view user1 # Add the 'edit' role to serviceaccount1 for the current project oc adm policy add-role-to-user edit -z serviceaccount1
2.8.1.25. oc adm policy add-scc-to-group
그룹에 보안 컨텍스트 제한 조건 추가
사용 예
# Add the 'restricted' security context constraint to group1 and group2 oc adm policy add-scc-to-group restricted group1 group2
2.8.1.26. oc adm policy add-scc-to-user
사용자 또는 서비스 계정에 보안 컨텍스트 제약 조건 추가
사용 예
# Add the 'restricted' security context constraint to user1 and user2 oc adm policy add-scc-to-user restricted user1 user2 # Add the 'privileged' security context constraint to serviceaccount1 in the current namespace oc adm policy add-scc-to-user privileged -z serviceaccount1
2.8.1.27. oc adm policy scc-review
Pod를 생성할 수 있는 서비스 계정을 확인
사용 예
# Check whether service accounts sa1 and sa2 can admit a pod with a template pod spec specified in my_resource.yaml # Service Account specified in myresource.yaml file is ignored oc adm policy scc-review -z sa1,sa2 -f my_resource.yaml # Check whether service accounts system:serviceaccount:bob:default can admit a pod with a template pod spec specified in my_resource.yaml oc adm policy scc-review -z system:serviceaccount:bob:default -f my_resource.yaml # Check whether the service account specified in my_resource_with_sa.yaml can admit the pod oc adm policy scc-review -f my_resource_with_sa.yaml # Check whether the default service account can admit the pod; default is taken since no service account is defined in myresource_with_no_sa.yaml oc adm policy scc-review -f myresource_with_no_sa.yaml
2.8.1.28. oc adm policy scc-subject-review
사용자 또는 서비스 계정의 Pod 생성 가능 여부 확인
사용 예
# Check whether user bob can create a pod specified in myresource.yaml oc adm policy scc-subject-review -u bob -f myresource.yaml # Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml oc adm policy scc-subject-review -u bob -g projectAdmin -f myresource.yaml # Check whether a service account specified in the pod template spec in myresourcewithsa.yaml can create the pod oc adm policy scc-subject-review -f myresourcewithsa.yaml
2.8.1.29. oc adm prune 빌드
이전 빌드 및 실패한 빌드 삭제
사용 예
# Dry run deleting older completed and failed builds and also including # all builds whose associated build config no longer exists oc adm prune builds --orphans # To actually perform the prune operation, the confirm flag must be appended oc adm prune builds --orphans --confirm
2.8.1.30. oc adm prune deployment
이전 완료 및 실패한 배포 구성 제거
사용 예
# Dry run deleting all but the last complete deployment for every deployment config oc adm prune deployments --keep-complete=1 # To actually perform the prune operation, the confirm flag must be appended oc adm prune deployments --keep-complete=1 --confirm
2.8.1.31. oc adm prune groups
외부 공급자에서 누락된 레코드를 참조하는 이전 OpenShift 그룹 제거
사용 예
# Prune all orphaned groups oc adm prune groups --sync-config=/path/to/ldap-sync-config.yaml --confirm # Prune all orphaned groups except the ones from the blacklist file oc adm prune groups --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm # Prune all orphaned groups from a list of specific groups specified in a whitelist file oc adm prune groups --whitelist=/path/to/whitelist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm # Prune all orphaned groups from a list of specific groups specified in a whitelist oc adm prune groups groups/group_name groups/other_name --sync-config=/path/to/ldap-sync-config.yaml --confirm
2.8.1.32. oc adm prune images
권장되지 않은 이미지 제거
사용 예
# See what the prune command would delete if only images and their referrers were more than an hour old # and obsoleted by 3 newer revisions under the same tag were considered oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m # To actually perform the prune operation, the confirm flag must be appended oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m --confirm # See what the prune command would delete if we are interested in removing images # exceeding currently set limit ranges ('openshift.io/Image') oc adm prune images --prune-over-size-limit # To actually perform the prune operation, the confirm flag must be appended oc adm prune images --prune-over-size-limit --confirm # Force the insecure http protocol with the particular registry host name oc adm prune images --registry-url=http://registry.example.org --confirm # Force a secure connection with a custom certificate authority to the particular registry host name oc adm prune images --registry-url=registry.example.org --certificate-authority=/path/to/custom/ca.crt --confirm
2.8.1.33. oc adm release extract
업데이트 페이로드 내용을 디스크에 추출
사용 예
# Use git to check out the source code for the current cluster release to DIR oc adm release extract --git=DIR # Extract cloud credential requests for AWS oc adm release extract --credentials-requests --cloud=aws # Use git to check out the source code for the current cluster release to DIR from linux/s390x image # Note: Wildcard filter is not supported. Pass a single os/arch to extract oc adm release extract --git=DIR quay.io/openshift-release-dev/ocp-release:4.2.2 --filter-by-os=linux/s390x
2.8.1.34. oc adm release info
릴리스에 대한 정보 표시
사용 예
# Show information about the cluster's current release oc adm release info # Show the source code that comprises a release oc adm release info 4.2.2 --commit-urls # Show the source code difference between two releases oc adm release info 4.2.0 4.2.2 --commits # Show where the images referenced by the release are located oc adm release info quay.io/openshift-release-dev/ocp-release:4.2.2 --pullspecs # Show information about linux/s390x image # Note: Wildcard filter is not supported. Pass a single os/arch to extract oc adm release info quay.io/openshift-release-dev/ocp-release:4.2.2 --filter-by-os=linux/s390x
2.8.1.35. oc adm release mirror
다른 이미지 레지스트리 위치에 릴리스 미러링
사용 예
# Perform a dry run showing what would be mirrored, including the mirror objects oc adm release mirror 4.3.0 --to myregistry.local/openshift/release \ --release-image-signature-to-dir /tmp/releases --dry-run # Mirror a release into the current directory oc adm release mirror 4.3.0 --to file://openshift/release \ --release-image-signature-to-dir /tmp/releases # Mirror a release to another directory in the default location oc adm release mirror 4.3.0 --to-dir /tmp/releases # Upload a release from the current directory to another server oc adm release mirror --from file://openshift/release --to myregistry.com/openshift/release \ --release-image-signature-to-dir /tmp/releases # Mirror the 4.3.0 release to repository registry.example.com and apply signatures to connected cluster oc adm release mirror --from=quay.io/openshift-release-dev/ocp-release:4.3.0-x86_64 \ --to=registry.example.com/your/repository --apply-release-image-signature
2.8.1.36. oc adm release new
새 OpenShift 릴리스 생성
사용 예
# Create a release from the latest origin images and push to a DockerHub repo oc adm release new --from-image-stream=4.1 -n origin --to-image docker.io/mycompany/myrepo:latest # Create a new release with updated metadata from a previous release oc adm release new --from-release registry.svc.ci.openshift.org/origin/release:v4.1 --name 4.1.1 \ --previous 4.1.0 --metadata ... --to-image docker.io/mycompany/myrepo:latest # Create a new release and override a single image oc adm release new --from-release registry.svc.ci.openshift.org/origin/release:v4.1 \ cli=docker.io/mycompany/cli:latest --to-image docker.io/mycompany/myrepo:latest # Run a verification pass to ensure the release can be reproduced oc adm release new --from-release registry.svc.ci.openshift.org/origin/release:v4.1
2.8.1.37. oc adm taint
하나 이상의 노드에서 테인트를 업데이트
사용 예
# Update node 'foo' with a taint with key 'dedicated' and value 'special-user' and effect 'NoSchedule' # If a taint with that key and effect already exists, its value is replaced as specified oc adm taint nodes foo dedicated=special-user:NoSchedule # Remove from node 'foo' the taint with key 'dedicated' and effect 'NoSchedule' if one exists oc adm taint nodes foo dedicated:NoSchedule- # Remove from node 'foo' all the taints with key 'dedicated' oc adm taint nodes foo dedicated- # Add a taint with key 'dedicated' on nodes having label mylabel=X oc adm taint node -l myLabel=X dedicated=foo:PreferNoSchedule # Add to node 'foo' a taint with key 'bar' and no value oc adm taint nodes foo bar:NoSchedule
2.8.1.38. oc adm top images
이미지에 대한 사용량 통계 표시
사용 예
# Show usage statistics for images oc adm top images
2.8.1.39. oc adm top imagestreams
이미지 스트림에 대한 사용량 통계 표시
사용 예
# Show usage statistics for image streams oc adm top imagestreams
2.8.1.40. oc adm top node
노드의 리소스 (CPU/메모리) 사용량 표시
사용 예
# Show metrics for all nodes oc adm top node # Show metrics for a given node oc adm top node NODE_NAME
2.8.1.41. oc adm top pod
Pod의 리소스 (CPU/메모리) 사용량 표시
사용 예
# Show metrics for all pods in the default namespace oc adm top pod # Show metrics for all pods in the given namespace oc adm top pod --namespace=NAMESPACE # Show metrics for a given pod and its containers oc adm top pod POD_NAME --containers # Show metrics for the pods defined by label name=myLabel oc adm top pod -l name=myLabel
2.8.1.42. oc adm uncordon
노드를 예약 가능으로 표시
사용 예
# Mark node "foo" as schedulable oc adm uncordon foo
2.8.1.43. oc adm upgrade
클러스터 업그레이드 또는 업그레이드 채널 조정
사용 예
# Review the available cluster updates oc adm upgrade # Update to the latest version oc adm upgrade --to-latest=true
2.8.1.44. oc adm verify-image-signature
이미지 서명에 포함된 이미지 ID 확인
사용 예
# Verify the image signature and identity using the local GPG keychain oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \ --expected-identity=registry.local:5000/foo/bar:v1 # Verify the image signature and identity using the local GPG keychain and save the status oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \ --expected-identity=registry.local:5000/foo/bar:v1 --save # Verify the image signature and identity via exposed registry route oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \ --expected-identity=registry.local:5000/foo/bar:v1 \ --registry-url=docker-registry.foo.com # Remove all signature verifications from the image oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 --remove-all