2.8. OpenShift CLI 管理员命令参考
本参考提供了 OpenShift CLI(oc
)管理员命令的描述和示例命令。您必须具有 cluster-admin
或同等权限才能使用这些命令。
如需开发人员命令,请参阅 OpenShift CLI 开发人员命令参考。
运行 oc adm -h
以列出所有管理员命令或运行 oc <command> --help
获取特定命令的更多详情。
2.8.1. OpenShift CLI(oc)管理员命令
2.8.1.1. oc adm build-chain
输出构建的输入和依赖项
用法示例
# Build the dependency tree for the 'latest' tag in <image-stream> oc adm build-chain <image-stream> # Build the dependency tree for the 'v2' tag in dot format and visualize it via the dot utility oc adm build-chain <image-stream>:v2 -o dot | dot -T svg -o deps.svg # Build the dependency tree across all namespaces for the specified image stream tag found in the 'test' namespace oc adm build-chain <image-stream> -n test --all
2.8.1.2. oc adm catalog mirror
镜像 operator-registry 目录
用法示例
# Mirror an operator-registry image and its contents to a registry oc adm catalog mirror quay.io/my/image:latest myregistry.com # Mirror an operator-registry image and its contents to a particular namespace in a registry oc adm catalog mirror quay.io/my/image:latest myregistry.com/my-namespace # Mirror to an airgapped registry by first mirroring to files oc adm catalog mirror quay.io/my/image:latest file:///local/index oc adm catalog mirror file:///local/index/my/image:latest my-airgapped-registry.com # Configure a cluster to use a mirrored registry oc apply -f manifests/imageContentSourcePolicy.yaml # Edit the mirroring mappings and mirror with "oc image mirror" manually oc adm catalog mirror --manifests-only quay.io/my/image:latest myregistry.com oc image mirror -f manifests/mapping.txt # Delete all ImageContentSourcePolicies generated by oc adm catalog mirror oc delete imagecontentsourcepolicy -l operators.openshift.org/catalog=true
2.8.1.3. oc adm 证书批准
批准证书签名请求
用法示例
# Approve CSR 'csr-sqgzp' oc adm certificate approve csr-sqgzp
2.8.1.4. oc adm 证书拒绝
拒绝证书签名请求
用法示例
# Deny CSR 'csr-sqgzp' oc adm certificate deny csr-sqgzp
2.8.1.5. oc adm cordon
将节点标记为不可调度
用法示例
# Mark node "foo" as unschedulable oc adm cordon foo
2.8.1.6. oc adm create-bootstrap-project-template
创建 bootstrap 项目模板
用法示例
# Output a bootstrap project template in YAML format to stdout oc adm create-bootstrap-project-template -o yaml
2.8.1.7. oc adm create-error-template
创建错误页面模板
用法示例
# Output a template for the error page to stdout oc adm create-error-template
2.8.1.8. oc adm create-login-template
创建登录模板
用法示例
# Output a template for the login page to stdout oc adm create-login-template
2.8.1.9. oc adm create-provider-selection-template
创建供应商选择模板
用法示例
# Output a template for the provider selection page to stdout oc adm create-provider-selection-template
2.8.1.10. oc adm drain
排空节点以准备进行维护
用法示例
# Drain node "foo", even if there are pods not managed by a replication controller, replica set, job, daemon set or stateful set on it oc adm drain foo --force # As above, but abort if there are pods not managed by a replication controller, replica set, job, daemon set or stateful set, and use a grace period of 15 minutes oc adm drain foo --grace-period=900
2.8.1.11. oc adm groups add-users
将用户添加到组
用法示例
# Add user1 and user2 to my-group oc adm groups add-users my-group user1 user2
2.8.1.12. oc adm groups new
创建一个新组
用法示例
# Add a group with no users oc adm groups new my-group # Add a group with two users oc adm groups new my-group user1 user2 # Add a group with one user and shorter output oc adm groups new my-group user1 -o name
2.8.1.13. oc adm groups prune
从外部提供程序中删除引用缺失记录的旧 OpenShift 组
用法示例
# Prune all orphaned groups oc adm groups prune --sync-config=/path/to/ldap-sync-config.yaml --confirm # Prune all orphaned groups except the ones from the blacklist file oc adm groups prune --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm # Prune all orphaned groups from a list of specific groups specified in a whitelist file oc adm groups prune --whitelist=/path/to/whitelist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm # Prune all orphaned groups from a list of specific groups specified in a whitelist oc adm groups prune groups/group_name groups/other_name --sync-config=/path/to/ldap-sync-config.yaml --confirm
2.8.1.14. oc adm groups remove-users
从组中删除用户
用法示例
# Remove user1 and user2 from my-group oc adm groups remove-users my-group user1 user2
2.8.1.15. oc adm groups sync
将 OpenShift 组与来自外部提供程序的记录同步
用法示例
# Sync all groups with an LDAP server oc adm groups sync --sync-config=/path/to/ldap-sync-config.yaml --confirm # Sync all groups except the ones from the blacklist file with an LDAP server oc adm groups sync --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm # Sync specific groups specified in a whitelist file with an LDAP server oc adm groups sync --whitelist=/path/to/whitelist.txt --sync-config=/path/to/sync-config.yaml --confirm # Sync all OpenShift groups that have been synced previously with an LDAP server oc adm groups sync --type=openshift --sync-config=/path/to/ldap-sync-config.yaml --confirm # Sync specific OpenShift groups if they have been synced previously with an LDAP server oc adm groups sync groups/group1 groups/group2 groups/group3 --sync-config=/path/to/sync-config.yaml --confirm
2.8.1.16. oc adm inspect
为给定资源收集调试数据
用法示例
# Collect debugging data for the "openshift-apiserver" clusteroperator oc adm inspect clusteroperator/openshift-apiserver # Collect debugging data for the "openshift-apiserver" and "kube-apiserver" clusteroperators oc adm inspect clusteroperator/openshift-apiserver clusteroperator/kube-apiserver # Collect debugging data for all clusteroperators oc adm inspect clusteroperator # Collect debugging data for all clusteroperators and clusterversions oc adm inspect clusteroperators,clusterversions
2.8.1.17. oc adm migrate icsp
将 imagecontentsourcepolicy 文件更新为 imagedigestmirrorset 文件。
用法示例
# update the imagecontentsourcepolicy.yaml to new imagedigestmirrorset file under directory mydir oc adm migrate icsp imagecontentsourcepolicy.yaml --dest-dir mydir
2.8.1.18. oc adm migrate template-instances
更新模板实例以指向最新的 group-version-kinds
用法示例
# Perform a dry-run of updating all objects oc adm migrate template-instances # To actually perform the update, the confirm flag must be appended oc adm migrate template-instances --confirm
2.8.1.19. oc adm must-gather
启动用于收集调试信息的 pod 的新实例
用法示例
# Gather information using the default plug-in image and command, writing into ./must-gather.local.<rand> oc adm must-gather # Gather information with a specific local folder to copy to oc adm must-gather --dest-dir=/local/directory # Gather audit information oc adm must-gather -- /usr/bin/gather_audit_logs # Gather information using multiple plug-in images oc adm must-gather --image=quay.io/kubevirt/must-gather --image=quay.io/openshift/origin-must-gather # Gather information using a specific image stream plug-in oc adm must-gather --image-stream=openshift/must-gather:latest # Gather information using a specific image, command, and pod-dir oc adm must-gather --image=my/image:tag --source-dir=/pod/directory -- myspecial-command.sh
2.8.1.20. oc adm new-project
创建新项目
用法示例
# Create a new project using a node selector oc adm new-project myproject --node-selector='type=user-node,region=east'
2.8.1.21. oc adm node-logs
显示和过滤节点日志
用法示例
# Show kubelet logs from all masters oc adm node-logs --role master -u kubelet # See what logs are available in masters in /var/logs oc adm node-logs --role master --path=/ # Display cron log file from all masters oc adm node-logs --role master --path=cron
2.8.1.22. oc adm pod-network isolate-projects
隔离项目网络
用法示例
# Provide isolation for project p1 oc adm pod-network isolate-projects <p1> # Allow all projects with label name=top-secret to have their own isolated project network oc adm pod-network isolate-projects --selector='name=top-secret'
2.8.1.23. oc adm pod-network join-projects
加入项目网络
用法示例
# Allow project p2 to use project p1 network oc adm pod-network join-projects --to=<p1> <p2> # Allow all projects with label name=top-secret to use project p1 network oc adm pod-network join-projects --to=<p1> --selector='name=top-secret'
2.8.1.24. oc adm pod-network make-projects-global
使项目网络为全局有效
用法示例
# Allow project p1 to access all pods in the cluster and vice versa oc adm pod-network make-projects-global <p1> # Allow all projects with label name=share to access all pods in the cluster and vice versa oc adm pod-network make-projects-global --selector='name=share'
2.8.1.25. oc adm policy add-role-to-user
为当前项目的用户或服务帐户添加角色
用法示例
# Add the 'view' role to user1 for the current project oc adm policy add-role-to-user view user1 # Add the 'edit' role to serviceaccount1 for the current project oc adm policy add-role-to-user edit -z serviceaccount1
2.8.1.26. oc adm policy add-scc-to-group
为组添加安全性上下文约束
用法示例
# Add the 'restricted' security context constraint to group1 and group2 oc adm policy add-scc-to-group restricted group1 group2
2.8.1.27. oc adm policy add-scc-to-user
为用户或服务帐户添加安全性上下文约束
用法示例
# Add the 'restricted' security context constraint to user1 and user2 oc adm policy add-scc-to-user restricted user1 user2 # Add the 'privileged' security context constraint to serviceaccount1 in the current namespace oc adm policy add-scc-to-user privileged -z serviceaccount1
2.8.1.28. oc adm policy scc-review
检查哪个服务帐户可以创建 pod
用法示例
# Check whether service accounts sa1 and sa2 can admit a pod with a template pod spec specified in my_resource.yaml # Service Account specified in myresource.yaml file is ignored oc adm policy scc-review -z sa1,sa2 -f my_resource.yaml # Check whether service accounts system:serviceaccount:bob:default can admit a pod with a template pod spec specified in my_resource.yaml oc adm policy scc-review -z system:serviceaccount:bob:default -f my_resource.yaml # Check whether the service account specified in my_resource_with_sa.yaml can admit the pod oc adm policy scc-review -f my_resource_with_sa.yaml # Check whether the default service account can admit the pod; default is taken since no service account is defined in myresource_with_no_sa.yaml oc adm policy scc-review -f myresource_with_no_sa.yaml
2.8.1.29. oc adm policy scc-subject-review
检查用户或服务帐户是否可以创建 pod
用法示例
# Check whether user bob can create a pod specified in myresource.yaml oc adm policy scc-subject-review -u bob -f myresource.yaml # Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml oc adm policy scc-subject-review -u bob -g projectAdmin -f myresource.yaml # Check whether a service account specified in the pod template spec in myresourcewithsa.yaml can create the pod oc adm policy scc-subject-review -f myresourcewithsa.yaml
2.8.1.30. oc adm prune builds
删除旧的完成和失败的构建
用法示例
# Dry run deleting older completed and failed builds and also including # all builds whose associated build config no longer exists oc adm prune builds --orphans # To actually perform the prune operation, the confirm flag must be appended oc adm prune builds --orphans --confirm
2.8.1.31. oc adm prune deployments
删除旧的完成和失败的部署配置
用法示例
# Dry run deleting all but the last complete deployment for every deployment config oc adm prune deployments --keep-complete=1 # To actually perform the prune operation, the confirm flag must be appended oc adm prune deployments --keep-complete=1 --confirm
2.8.1.32. oc adm prune groups
从外部提供程序中删除引用缺失记录的旧 OpenShift 组
用法示例
# Prune all orphaned groups oc adm prune groups --sync-config=/path/to/ldap-sync-config.yaml --confirm # Prune all orphaned groups except the ones from the blacklist file oc adm prune groups --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm # Prune all orphaned groups from a list of specific groups specified in a whitelist file oc adm prune groups --whitelist=/path/to/whitelist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm # Prune all orphaned groups from a list of specific groups specified in a whitelist oc adm prune groups groups/group_name groups/other_name --sync-config=/path/to/ldap-sync-config.yaml --confirm
2.8.1.33. oc adm prune images
删除未引用的镜像
用法示例
# See what the prune command would delete if only images and their referrers were more than an hour old # and obsoleted by 3 newer revisions under the same tag were considered oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m # To actually perform the prune operation, the confirm flag must be appended oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m --confirm # See what the prune command would delete if we are interested in removing images # exceeding currently set limit ranges ('openshift.io/Image') oc adm prune images --prune-over-size-limit # To actually perform the prune operation, the confirm flag must be appended oc adm prune images --prune-over-size-limit --confirm # Force the insecure http protocol with the particular registry host name oc adm prune images --registry-url=http://registry.example.org --confirm # Force a secure connection with a custom certificate authority to the particular registry host name oc adm prune images --registry-url=registry.example.org --certificate-authority=/path/to/custom/ca.crt --confirm
2.8.1.34. oc adm release extract
将更新有效负载的内容提取到磁盘
用法示例
# Use git to check out the source code for the current cluster release to DIR oc adm release extract --git=DIR # Extract cloud credential requests for AWS oc adm release extract --credentials-requests --cloud=aws # Use git to check out the source code for the current cluster release to DIR from linux/s390x image # Note: Wildcard filter is not supported. Pass a single os/arch to extract oc adm release extract --git=DIR quay.io/openshift-release-dev/ocp-release:4.11.2 --filter-by-os=linux/s390x
2.8.1.35. oc adm release info
显示发行版本的信息
用法示例
# Show information about the cluster's current release oc adm release info # Show the source code that comprises a release oc adm release info 4.11.2 --commit-urls # Show the source code difference between two releases oc adm release info 4.11.0 4.11.2 --commits # Show where the images referenced by the release are located oc adm release info quay.io/openshift-release-dev/ocp-release:4.11.2 --pullspecs # Show information about linux/s390x image # Note: Wildcard filter is not supported. Pass a single os/arch to extract oc adm release info quay.io/openshift-release-dev/ocp-release:4.11.2 --filter-by-os=linux/s390x
2.8.1.36. oc adm release mirror
将发行版本 mirror 到不同的镜像 registry 位置
用法示例
# Perform a dry run showing what would be mirrored, including the mirror objects oc adm release mirror 4.11.0 --to myregistry.local/openshift/release \ --release-image-signature-to-dir /tmp/releases --dry-run # Mirror a release into the current directory oc adm release mirror 4.11.0 --to file://openshift/release \ --release-image-signature-to-dir /tmp/releases # Mirror a release to another directory in the default location oc adm release mirror 4.11.0 --to-dir /tmp/releases # Upload a release from the current directory to another server oc adm release mirror --from file://openshift/release --to myregistry.com/openshift/release \ --release-image-signature-to-dir /tmp/releases # Mirror the 4.11.0 release to repository registry.example.com and apply signatures to connected cluster oc adm release mirror --from=quay.io/openshift-release-dev/ocp-release:4.11.0-x86_64 \ --to=registry.example.com/your/repository --apply-release-image-signature
2.8.1.37. oc adm release new
创建新的 OpenShift 发行版本
用法示例
# Create a release from the latest origin images and push to a DockerHub repo oc adm release new --from-image-stream=4.11 -n origin --to-image docker.io/mycompany/myrepo:latest # Create a new release with updated metadata from a previous release oc adm release new --from-release registry.ci.openshift.org/origin/release:v4.11 --name 4.11.1 \ --previous 4.11.0 --metadata ... --to-image docker.io/mycompany/myrepo:latest # Create a new release and override a single image oc adm release new --from-release registry.ci.openshift.org/origin/release:v4.11 \ cli=docker.io/mycompany/cli:latest --to-image docker.io/mycompany/myrepo:latest # Run a verification pass to ensure the release can be reproduced oc adm release new --from-release registry.ci.openshift.org/origin/release:v4.11
2.8.1.38. oc adm taint
更新一个或多个节点上的污点
用法示例
# Update node 'foo' with a taint with key 'dedicated' and value 'special-user' and effect 'NoSchedule' # If a taint with that key and effect already exists, its value is replaced as specified oc adm taint nodes foo dedicated=special-user:NoSchedule # Remove from node 'foo' the taint with key 'dedicated' and effect 'NoSchedule' if one exists oc adm taint nodes foo dedicated:NoSchedule- # Remove from node 'foo' all the taints with key 'dedicated' oc adm taint nodes foo dedicated- # Add a taint with key 'dedicated' on nodes having label mylabel=X oc adm taint node -l myLabel=X dedicated=foo:PreferNoSchedule # Add to node 'foo' a taint with key 'bar' and no value oc adm taint nodes foo bar:NoSchedule
2.8.1.39. oc adm top images
显示镜像的用量统计
用法示例
# Show usage statistics for images oc adm top images
2.8.1.40. oc adm top imagestreams
显示镜像流的用量统计
用法示例
# Show usage statistics for image streams oc adm top imagestreams
2.8.1.41. oc adm top node
显示节点的资源(CPU/内存)使用情况
用法示例
# Show metrics for all nodes oc adm top node # Show metrics for a given node oc adm top node NODE_NAME
2.8.1.42. oc adm top pod
显示 pod 的资源(CPU/内存)使用情况
用法示例
# Show metrics for all pods in the default namespace oc adm top pod # Show metrics for all pods in the given namespace oc adm top pod --namespace=NAMESPACE # Show metrics for a given pod and its containers oc adm top pod POD_NAME --containers # Show metrics for the pods defined by label name=myLabel oc adm top pod -l name=myLabel
2.8.1.43. oc adm uncordon
将节点标记为可调度
用法示例
# Mark node "foo" as schedulable oc adm uncordon foo
2.8.1.44. oc adm upgrade
升级集群或调整升级频道
用法示例
# Review the available cluster updates oc adm upgrade # Update to the latest version oc adm upgrade --to-latest=true
2.8.1.45. oc adm verify-image-signature
验证镜像签名中包含的镜像身份
用法示例
# Verify the image signature and identity using the local GPG keychain oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \ --expected-identity=registry.local:5000/foo/bar:v1 # Verify the image signature and identity using the local GPG keychain and save the status oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \ --expected-identity=registry.local:5000/foo/bar:v1 --save # Verify the image signature and identity via exposed registry route oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \ --expected-identity=registry.local:5000/foo/bar:v1 \ --registry-url=docker-registry.foo.com # Remove all signature verifications from the image oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 --remove-all