2.7. OpenShift CLI 管理员命令参考

Build the dependency tree for the 'latest' tag in <image-stream>

  # Build the dependency tree for the 'latest' tag in <image-stream>
  oc adm build-chain <image-stream>

  # Build the dependency tree for the 'v2' tag in dot format and visualize it via the dot utility
  oc adm build-chain <image-stream>:v2 -o dot | dot -T svg -o deps.svg

  # Build the dependency tree across all namespaces for the specified image stream tag found in the 'test' namespace
  oc adm build-chain <image-stream> -n test --all

Mirror an operator-registry image and its contents to a registry

  # Mirror an operator-registry image and its contents to a registry
  oc adm catalog mirror quay.io/my/image:latest myregistry.com

  # Mirror an operator-registry image and its contents to a particular namespace in a registry
  oc adm catalog mirror quay.io/my/image:latest myregistry.com/my-namespace

  # Mirror to an airgapped registry by first mirroring to files
  oc adm catalog mirror quay.io/my/image:latest file:///local/index
  oc adm catalog mirror file:///local/index/my/image:latest my-airgapped-registry.com

  # Configure a cluster to use a mirrored registry
  oc apply -f manifests/imageDigestMirrorSet.yaml

  # Edit the mirroring mappings and mirror with "oc image mirror" manually
  oc adm catalog mirror --manifests-only quay.io/my/image:latest myregistry.com
  oc image mirror -f manifests/mapping.txt

  # Delete all ImageDigestMirrorSets generated by oc adm catalog mirror
  oc delete imagedigestmirrorset -l operators.openshift.org/catalog=true

Approve CSR 'csr-sqgzp'

  # Approve CSR 'csr-sqgzp'
  oc adm certificate approve csr-sqgzp

Deny CSR 'csr-sqgzp'

  # Deny CSR 'csr-sqgzp'
  oc adm certificate deny csr-sqgzp

Copy a new bootstrap kubeconfig file to node-0

  # Copy a new bootstrap kubeconfig file to node-0
  oc adm copy-to-node --copy=new-bootstrap-kubeconfig=/etc/kubernetes/kubeconfig node/node-0

Mark node "foo" as unschedulable

  # Mark node "foo" as unschedulable
  oc adm cordon foo

Output a bootstrap project template in YAML format to stdout

  # Output a bootstrap project template in YAML format to stdout
  oc adm create-bootstrap-project-template -o yaml

Output a template for the error page to stdout

  # Output a template for the error page to stdout
  oc adm create-error-template

Output a template for the login page to stdout

  # Output a template for the login page to stdout
  oc adm create-login-template

Output a template for the provider selection page to stdout

  # Output a template for the provider selection page to stdout
  oc adm create-provider-selection-template

Drain node "foo", even if there are pods not managed by a replication controller, replica set, job, daemon set, or stateful set on it

  # Drain node "foo", even if there are pods not managed by a replication controller, replica set, job, daemon set, or stateful set on it
  oc adm drain foo --force

  # As above, but abort if there are pods not managed by a replication controller, replica set, job, daemon set, or stateful set, and use a grace period of 15 minutes
  oc adm drain foo --grace-period=900

Add user1 and user2 to my-group

  # Add user1 and user2 to my-group
  oc adm groups add-users my-group user1 user2

Add a group with no users

  # Add a group with no users
  oc adm groups new my-group

  # Add a group with two users
  oc adm groups new my-group user1 user2

  # Add a group with one user and shorter output
  oc adm groups new my-group user1 -o name

Prune all orphaned groups

  # Prune all orphaned groups
  oc adm groups prune --sync-config=/path/to/ldap-sync-config.yaml --confirm

  # Prune all orphaned groups except the ones from the denylist file
  oc adm groups prune --blacklist=/path/to/denylist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm

  # Prune all orphaned groups from a list of specific groups specified in an allowlist file
  oc adm groups prune --whitelist=/path/to/allowlist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm

  # Prune all orphaned groups from a list of specific groups specified in a list
  oc adm groups prune groups/group_name groups/other_name --sync-config=/path/to/ldap-sync-config.yaml --confirm

Remove user1 and user2 from my-group

  # Remove user1 and user2 from my-group
  oc adm groups remove-users my-group user1 user2

Sync all groups with an LDAP server

  # Sync all groups with an LDAP server
  oc adm groups sync --sync-config=/path/to/ldap-sync-config.yaml --confirm

  # Sync all groups except the ones from the blacklist file with an LDAP server
  oc adm groups sync --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm

  # Sync specific groups specified in an allowlist file with an LDAP server
  oc adm groups sync --whitelist=/path/to/allowlist.txt --sync-config=/path/to/sync-config.yaml --confirm

  # Sync all OpenShift groups that have been synced previously with an LDAP server
  oc adm groups sync --type=openshift --sync-config=/path/to/ldap-sync-config.yaml --confirm

  # Sync specific OpenShift groups if they have been synced previously with an LDAP server
  oc adm groups sync groups/group1 groups/group2 groups/group3 --sync-config=/path/to/sync-config.yaml --confirm

Collect debugging data for the "openshift-apiserver" clusteroperator

  # Collect debugging data for the "openshift-apiserver" clusteroperator
  oc adm inspect clusteroperator/openshift-apiserver

  # Collect debugging data for the "openshift-apiserver" and "kube-apiserver" clusteroperators
  oc adm inspect clusteroperator/openshift-apiserver clusteroperator/kube-apiserver

  # Collect debugging data for all clusteroperators
  oc adm inspect clusteroperator

  # Collect debugging data for all clusteroperators and clusterversions
  oc adm inspect clusteroperators,clusterversions

Update the imagecontentsourcepolicy.yaml file to a new imagedigestmirrorset file under the mydir directory

  # Update the imagecontentsourcepolicy.yaml file to a new imagedigestmirrorset file under the mydir directory
  oc adm migrate icsp imagecontentsourcepolicy.yaml --dest-dir mydir

Perform a dry-run of updating all objects

  # Perform a dry-run of updating all objects
  oc adm migrate template-instances

  # To actually perform the update, the confirm flag must be appended
  oc adm migrate template-instances --confirm

Gather information using the default plug-in image and command, writing into ./must-gather.local.<rand>

  # Gather information using the default plug-in image and command, writing into ./must-gather.local.<rand>
  oc adm must-gather

  # Gather information with a specific local folder to copy to
  oc adm must-gather --dest-dir=/local/directory

  # Gather audit information
  oc adm must-gather -- /usr/bin/gather_audit_logs

  # Gather information using multiple plug-in images
  oc adm must-gather --image=quay.io/kubevirt/must-gather --image=quay.io/openshift/origin-must-gather

  # Gather information using a specific image stream plug-in
  oc adm must-gather --image-stream=openshift/must-gather:latest

  # Gather information using a specific image, command, and pod directory
  oc adm must-gather --image=my/image:tag --source-dir=/pod/directory -- myspecial-command.sh

Create a new project using a node selector

  # Create a new project using a node selector
  oc adm new-project myproject --node-selector='type=user-node,region=east'

Create the ISO image and download it in the current folder

  # Create the ISO image and download it in the current folder
  oc adm node-image create

  # Use a different assets folder
  oc adm node-image create --dir=/tmp/assets

  # Specify a custom image name
  oc adm node-image create -o=my-node.iso

  # Create an ISO to add a single node without using the configuration file
  oc adm node-image create --mac-address=00:d8:e7:c7:4b:bb

  # Create an ISO to add a single node with a root device hint and without
  # using the configuration file
  oc adm node-image create --mac-address=00:d8:e7:c7:4b:bb --root-device-hint=deviceName:/dev/sda

Monitor a single node being added to a cluster

  # Monitor a single node being added to a cluster
  oc adm node-image monitor --ip-addresses 192.168.111.83

  # Monitor multiple nodes being added to a cluster by separating each
  IP address with a comma
  oc adm node-image monitor --ip-addresses 192.168.111.83,192.168.111.84

Show kubelet logs from all control plane nodes

  # Show kubelet logs from all control plane nodes
  oc adm node-logs --role master -u kubelet

  # See what logs are available in control plane nodes in /var/log
  oc adm node-logs --role master --path=/

  # Display cron log file from all control plane nodes
  oc adm node-logs --role master --path=cron

Watch platform certificates

  # Watch platform certificates
  oc adm ocp-certificates monitor-certificates

Regenerate a leaf certificate contained in a particular secret

  # Regenerate a leaf certificate contained in a particular secret
  oc adm ocp-certificates regenerate-leaf -n openshift-config-managed secret/kube-controller-manager-client-cert-key

Regenerate the MCO certs without modifying user-data secrets

  # Regenerate the MCO certs without modifying user-data secrets
  oc adm ocp-certificates regenerate-machine-config-server-serving-cert --update-ignition=false

  # Update the user-data secrets to use new MCS certs
  oc adm ocp-certificates update-ignition-ca-bundle-for-machine-config-server

Regenerate the signing certificate contained in a particular secret

  # Regenerate the signing certificate contained in a particular secret
  oc adm ocp-certificates regenerate-top-level -n openshift-kube-apiserver-operator secret/loadbalancer-serving-signer-key

Remove a trust bundled contained in a particular config map

  # Remove a trust bundled contained in a particular config map
  oc adm ocp-certificates remove-old-trust -n openshift-config-managed configmaps/kube-apiserver-aggregator-client-ca --created-before 2023-06-05T14:44:06Z

  #  Remove only CA certificates created before a certain date from all trust bundles
  oc adm ocp-certificates remove-old-trust configmaps -A --all --created-before 2023-06-05T14:44:06Z

Regenerate the MCO certs without modifying user-data secrets

  # Regenerate the MCO certs without modifying user-data secrets
  oc adm ocp-certificates regenerate-machine-config-server-serving-cert --update-ignition=false

  # Update the user-data secrets to use new MCS certs
  oc adm ocp-certificates update-ignition-ca-bundle-for-machine-config-server

Provide isolation for project p1

  # Provide isolation for project p1
  oc adm pod-network isolate-projects <p1>

  # Allow all projects with label name=top-secret to have their own isolated project network
  oc adm pod-network isolate-projects --selector='name=top-secret'

Allow project p2 to use project p1 network

  # Allow project p2 to use project p1 network
  oc adm pod-network join-projects --to=<p1> <p2>

  # Allow all projects with label name=top-secret to use project p1 network
  oc adm pod-network join-projects --to=<p1> --selector='name=top-secret'

Allow project p1 to access all pods in the cluster and vice versa

  # Allow project p1 to access all pods in the cluster and vice versa
  oc adm pod-network make-projects-global <p1>

  # Allow all projects with label name=share to access all pods in the cluster and vice versa
  oc adm pod-network make-projects-global --selector='name=share'

Add the 'cluster-admin' cluster role to the 'cluster-admins' group

  # Add the 'cluster-admin' cluster role to the 'cluster-admins' group
  oc adm policy add-cluster-role-to-group cluster-admin cluster-admins

Add the 'system:build-strategy-docker' cluster role to the 'devuser' user

  # Add the 'system:build-strategy-docker' cluster role to the 'devuser' user
  oc adm policy add-cluster-role-to-user system:build-strategy-docker devuser

Add the 'view' role to user1 for the current project

  # Add the 'view' role to user1 for the current project
  oc adm policy add-role-to-user view user1

  # Add the 'edit' role to serviceaccount1 for the current project
  oc adm policy add-role-to-user edit -z serviceaccount1

Add the 'restricted' security context constraint to group1 and group2

  # Add the 'restricted' security context constraint to group1 and group2
  oc adm policy add-scc-to-group restricted group1 group2

Add the 'restricted' security context constraint to user1 and user2

  # Add the 'restricted' security context constraint to user1 and user2
  oc adm policy add-scc-to-user restricted user1 user2

  # Add the 'privileged' security context constraint to serviceaccount1 in the current namespace
  oc adm policy add-scc-to-user privileged -z serviceaccount1

Remove the 'cluster-admin' cluster role from the 'cluster-admins' group

  # Remove the 'cluster-admin' cluster role from the 'cluster-admins' group
  oc adm policy remove-cluster-role-from-group cluster-admin cluster-admins

Remove the 'system:build-strategy-docker' cluster role from the 'devuser' user

  # Remove the 'system:build-strategy-docker' cluster role from the 'devuser' user
  oc adm policy remove-cluster-role-from-user system:build-strategy-docker devuser

Check whether service accounts sa1 and sa2 can admit a pod with a template pod spec specified in my_resource.yaml

  # Check whether service accounts sa1 and sa2 can admit a pod with a template pod spec specified in my_resource.yaml
  # Service Account specified in myresource.yaml file is ignored
  oc adm policy scc-review -z sa1,sa2 -f my_resource.yaml

  # Check whether service accounts system:serviceaccount:bob:default can admit a pod with a template pod spec specified in my_resource.yaml
  oc adm policy scc-review -z system:serviceaccount:bob:default -f my_resource.yaml

  # Check whether the service account specified in my_resource_with_sa.yaml can admit the pod
  oc adm policy scc-review -f my_resource_with_sa.yaml

  # Check whether the default service account can admit the pod; default is taken since no service account is defined in myresource_with_no_sa.yaml
  oc adm policy scc-review -f myresource_with_no_sa.yaml

Check whether user bob can create a pod specified in myresource.yaml

  # Check whether user bob can create a pod specified in myresource.yaml
  oc adm policy scc-subject-review -u bob -f myresource.yaml

  # Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml
  oc adm policy scc-subject-review -u bob -g projectAdmin -f myresource.yaml

  # Check whether a service account specified in the pod template spec in myresourcewithsa.yaml can create the pod
  oc adm policy scc-subject-review -f myresourcewithsa.yaml

Dry run deleting older completed and failed builds and also including

  # Dry run deleting older completed and failed builds and also including
  # all builds whose associated build config no longer exists
  oc adm prune builds --orphans

  # To actually perform the prune operation, the confirm flag must be appended
  oc adm prune builds --orphans --confirm

Dry run deleting all but the last complete deployment for every deployment config

  # Dry run deleting all but the last complete deployment for every deployment config
  oc adm prune deployments --keep-complete=1

  # To actually perform the prune operation, the confirm flag must be appended
  oc adm prune deployments --keep-complete=1 --confirm

Prune all orphaned groups

  # Prune all orphaned groups
  oc adm prune groups --sync-config=/path/to/ldap-sync-config.yaml --confirm

  # Prune all orphaned groups except the ones from the denylist file
  oc adm prune groups --blacklist=/path/to/denylist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm

  # Prune all orphaned groups from a list of specific groups specified in an allowlist file
  oc adm prune groups --whitelist=/path/to/allowlist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm

  # Prune all orphaned groups from a list of specific groups specified in a list
  oc adm prune groups groups/group_name groups/other_name --sync-config=/path/to/ldap-sync-config.yaml --confirm

See what the prune command would delete if only images and their referrers were more than an hour old

  # See what the prune command would delete if only images and their referrers were more than an hour old
  # and obsoleted by 3 newer revisions under the same tag were considered
  oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m

  # To actually perform the prune operation, the confirm flag must be appended
  oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m --confirm

  # See what the prune command would delete if we are interested in removing images
  # exceeding currently set limit ranges ('openshift.io/Image')
  oc adm prune images --prune-over-size-limit

  # To actually perform the prune operation, the confirm flag must be appended
  oc adm prune images --prune-over-size-limit --confirm

  # Force the insecure HTTP protocol with the particular registry host name
  oc adm prune images --registry-url=http://registry.example.org --confirm

  # Force a secure connection with a custom certificate authority to the particular registry host name
  oc adm prune images --registry-url=registry.example.org --certificate-authority=/path/to/custom/ca.crt --confirm

See what the prune command would delete if run with no options

  # See what the prune command would delete if run with no options
  oc adm prune renderedmachineconfigs

  # To actually perform the prune operation, the confirm flag must be appended
  oc adm prune renderedmachineconfigs --confirm

  # See what the prune command would delete if run on the worker MachineConfigPool
  oc adm prune renderedmachineconfigs --pool-name=worker

  # Prunes 10 oldest rendered MachineConfigs in the cluster
  oc adm prune renderedmachineconfigs --count=10 --confirm

  # Prunes 10 oldest rendered MachineConfigs in the cluster for the worker MachineConfigPool
  oc adm prune renderedmachineconfigs --count=10 --pool-name=worker --confirm

List all rendered MachineConfigs for the worker MachineConfigPool in the cluster

  # List all rendered MachineConfigs for the worker MachineConfigPool in the cluster
  oc adm prune renderedmachineconfigs list --pool-name=worker

  # List all rendered MachineConfigs in use by the cluster's MachineConfigPools
  oc adm prune renderedmachineconfigs list --in-use

Reboot all MachineConfigPools

  # Reboot all MachineConfigPools
  oc adm reboot-machine-config-pool mcp/worker mcp/master

  # Reboot all MachineConfigPools that inherit from worker.  This include all custom MachineConfigPools and infra.
  oc adm reboot-machine-config-pool mcp/worker

  # Reboot masters
  oc adm reboot-machine-config-pool mcp/master

Use git to check out the source code for the current cluster release to DIR

  # Use git to check out the source code for the current cluster release to DIR
  oc adm release extract --git=DIR

  # Extract cloud credential requests for AWS
  oc adm release extract --credentials-requests --cloud=aws

  # Use git to check out the source code for the current cluster release to DIR from linux/s390x image
  # Note: Wildcard filter is not supported; pass a single os/arch to extract
  oc adm release extract --git=DIR quay.io/openshift-release-dev/ocp-release:4.11.2 --filter-by-os=linux/s390x

Show information about the cluster's current release

  # Show information about the cluster's current release
  oc adm release info

  # Show the source code that comprises a release
  oc adm release info 4.11.2 --commit-urls

  # Show the source code difference between two releases
  oc adm release info 4.11.0 4.11.2 --commits

  # Show where the images referenced by the release are located
  oc adm release info quay.io/openshift-release-dev/ocp-release:4.11.2 --pullspecs

  # Show information about linux/s390x image
  # Note: Wildcard filter is not supported; pass a single os/arch to extract
  oc adm release info quay.io/openshift-release-dev/ocp-release:4.11.2 --filter-by-os=linux/s390x

Perform a dry run showing what would be mirrored, including the mirror objects

  # Perform a dry run showing what would be mirrored, including the mirror objects
  oc adm release mirror 4.11.0 --to myregistry.local/openshift/release \
  --release-image-signature-to-dir /tmp/releases --dry-run

  # Mirror a release into the current directory
  oc adm release mirror 4.11.0 --to file://openshift/release \
  --release-image-signature-to-dir /tmp/releases

  # Mirror a release to another directory in the default location
  oc adm release mirror 4.11.0 --to-dir /tmp/releases

  # Upload a release from the current directory to another server
  oc adm release mirror --from file://openshift/release --to myregistry.com/openshift/release \
  --release-image-signature-to-dir /tmp/releases

  # Mirror the 4.11.0 release to repository registry.example.com and apply signatures to connected cluster
  oc adm release mirror --from=quay.io/openshift-release-dev/ocp-release:4.11.0-x86_64 \
  --to=registry.example.com/your/repository --apply-release-image-signature

Create a release from the latest origin images and push to a DockerHub repository

  # Create a release from the latest origin images and push to a DockerHub repository
  oc adm release new --from-image-stream=4.11 -n origin --to-image docker.io/mycompany/myrepo:latest

  # Create a new release with updated metadata from a previous release
  oc adm release new --from-release registry.ci.openshift.org/origin/release:v4.11 --name 4.11.1 \
  --previous 4.11.0 --metadata ... --to-image docker.io/mycompany/myrepo:latest

  # Create a new release and override a single image
  oc adm release new --from-release registry.ci.openshift.org/origin/release:v4.11 \
  cli=docker.io/mycompany/cli:latest --to-image docker.io/mycompany/myrepo:latest

  # Run a verification pass to ensure the release can be reproduced
  oc adm release new --from-release registry.ci.openshift.org/origin/release:v4.11

Restart all the nodes, 10% at a time

  # Restart all the nodes, 10% at a time
  oc adm restart-kubelet nodes --all --directive=RemoveKubeletKubeconfig

  # Restart all the nodes, 20 nodes at a time
  oc adm restart-kubelet nodes --all --parallelism=20 --directive=RemoveKubeletKubeconfig

  # Restart all the nodes, 15% at a time
  oc adm restart-kubelet nodes --all --parallelism=15% --directive=RemoveKubeletKubeconfig

  # Restart all the masters at the same time
  oc adm restart-kubelet nodes -l node-role.kubernetes.io/master --parallelism=100% --directive=RemoveKubeletKubeconfig

Update node 'foo' with a taint with key 'dedicated' and value 'special-user' and effect 'NoSchedule'

  # Update node 'foo' with a taint with key 'dedicated' and value 'special-user' and effect 'NoSchedule'
  # If a taint with that key and effect already exists, its value is replaced as specified
  oc adm taint nodes foo dedicated=special-user:NoSchedule

  # Remove from node 'foo' the taint with key 'dedicated' and effect 'NoSchedule' if one exists
  oc adm taint nodes foo dedicated:NoSchedule-

  # Remove from node 'foo' all the taints with key 'dedicated'
  oc adm taint nodes foo dedicated-

  # Add a taint with key 'dedicated' on nodes having label myLabel=X
  oc adm taint node -l myLabel=X  dedicated=foo:PreferNoSchedule

  # Add to node 'foo' a taint with key 'bar' and no value
  oc adm taint nodes foo bar:NoSchedule

Show usage statistics for images

  # Show usage statistics for images
  oc adm top images

Show usage statistics for image streams

  # Show usage statistics for image streams
  oc adm top imagestreams

Show metrics for all nodes

  # Show metrics for all nodes
  oc adm top node

  # Show metrics for a given node
  oc adm top node NODE_NAME

Show metrics for all pods in the default namespace

  # Show metrics for all pods in the default namespace
  oc adm top pod

  # Show metrics for all pods in the given namespace
  oc adm top pod --namespace=NAMESPACE

  # Show metrics for a given pod and its containers
  oc adm top pod POD_NAME --containers

  # Show metrics for the pods defined by label name=myLabel
  oc adm top pod -l name=myLabel

Mark node "foo" as schedulable

  # Mark node "foo" as schedulable
  oc adm uncordon foo

View the update status and available cluster updates

  # View the update status and available cluster updates
  oc adm upgrade

  # Update to the latest version
  oc adm upgrade --to-latest=true

Verify the image signature and identity using the local GPG keychain

  # Verify the image signature and identity using the local GPG keychain
  oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
  --expected-identity=registry.local:5000/foo/bar:v1

  # Verify the image signature and identity using the local GPG keychain and save the status
  oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
  --expected-identity=registry.local:5000/foo/bar:v1 --save

  # Verify the image signature and identity via exposed registry route
  oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
  --expected-identity=registry.local:5000/foo/bar:v1 \
  --registry-url=docker-registry.foo.com

  # Remove all signature verifications from the image
  oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 --remove-all

Wait for all nodes to complete a requested reboot from 'oc adm reboot-machine-config-pool mcp/worker mcp/master'

  # Wait for all nodes to complete a requested reboot from 'oc adm reboot-machine-config-pool mcp/worker mcp/master'
  oc adm wait-for-node-reboot nodes --all

  # Wait for masters to complete a requested reboot from 'oc adm reboot-machine-config-pool mcp/master'
  oc adm wait-for-node-reboot nodes -l node-role.kubernetes.io/master

  # Wait for masters to complete a specific reboot
  oc adm wait-for-node-reboot nodes -l node-role.kubernetes.io/master --reboot-number=4

Wait for all cluster operators to become stable

  # Wait for all cluster operators to become stable
  oc adm wait-for-stable-cluster

  # Consider operators to be stable if they report as such for 5 minutes straight
  oc adm wait-for-stable-cluster --minimum-stable-period 5m