:toc: macro :toc-title: toc::[] == oc adm build-chain Output the inputs and dependencies of your builds ==== [options="nowrap"] ---- # Build the dependency tree for the 'latest' tag in <image-stream> oc adm build-chain <image-stream> # Build the dependency tree for 'v2' tag in dot format and visualize it via the dot utility oc adm build-chain <image-stream>:v2 -o dot | dot -T svg -o deps.svg # Build the dependency tree across all namespaces for the specified image stream tag found in 'test' namespace oc adm build-chain <image-stream> -n test --all ---- ==== == oc adm ca decrypt Decrypt data encrypted with "oc adm ca encrypt" ==== [options="nowrap"] ---- # Decrypt an encrypted file to a cleartext file: oc adm ca decrypt --key=secret.key --in=secret.encrypted --out=secret.decrypted # Decrypt from stdin to stdout: oc adm ca decrypt --key=secret.key < secret2.encrypted > secret2.decrypted ---- ==== == oc adm ca encrypt Encrypt data with AES-256-CBC encryption ==== [options="nowrap"] ---- # Encrypt the content of secret.txt with a generated key: oc adm ca encrypt --genkey=secret.key --in=secret.txt --out=secret.encrypted # Encrypt the content of secret2.txt with an existing key: oc adm ca encrypt --key=secret.key < secret2.txt > secret2.encrypted ---- ==== == oc adm config Change configuration files for the client ==== [options="nowrap"] ---- # Change the config context to use oc adm config use-context my-context # Set the value of a config preference oc adm config set preferences.some true ---- ==== == oc adm config current-context Displays the current-context ==== [options="nowrap"] ---- # Display the current-context oc adm config current-context ---- ==== == oc adm config set-cluster Sets a cluster entry in kubeconfig ==== [options="nowrap"] ---- # Set only the server field on the e2e cluster entry without touching other values. oc adm config set-cluster e2e --server=https://1.2.3.4 # Embed certificate authority data for the e2e cluster entry oc adm config set-cluster e2e --certificate-authority=~/.kube/e2e/kubernetes.ca.crt # Disable cert checking for the dev cluster entry oc adm config set-cluster e2e --insecure-skip-tls-verify=true ---- ==== == oc adm config set-context Sets a context entry in kubeconfig ==== [options="nowrap"] ---- # Set the user field on the gce context entry without touching other values oc adm config set-context gce --user=cluster-admin ---- ==== == oc adm config set-credentials Sets a user entry in kubeconfig ==== [options="nowrap"] ---- # Set only the "client-key" field on the "cluster-admin" # entry, without touching other values: oc adm config set-credentials cluster-admin --client-key=~/.kube/admin.key # Set basic auth for the "cluster-admin" entry oc adm config set-credentials cluster-admin --username=admin --password=uXFGweU9l35qcif # Embed client certificate data in the "cluster-admin" entry oc adm config set-credentials cluster-admin --client-certificate=~/.kube/admin.crt --embed-certs=true ---- ==== == oc adm config view Displays merged kubeconfig settings or a specified kubeconfig file. ==== [options="nowrap"] ---- # Show Merged kubeconfig settings. oc adm config view # Get the password for the e2e user oc adm config view -o jsonpath='{.users[?(@.name == "e2e")].user.password}' ---- ==== == oc adm groups add-users Add users to a group ==== [options="nowrap"] ---- # Add user1 and user2 to my-group oc adm groups add-users my-group user1 user2 ---- ==== == oc adm groups new Create a new group ==== [options="nowrap"] ---- # Add a group with no users oc adm groups new my-group # Add a group with two users oc adm groups new my-group user1 user2 ---- ==== == oc adm groups prune Prune OpenShift groups referencing missing records on an external provider. ==== [options="nowrap"] ---- # Prune all orphaned groups oc adm groups prune --sync-config=/path/to/ldap-sync-config.yaml --confirm # Prune all orphaned groups except the ones from the blacklist file oc adm groups prune --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm # Prune all orphaned groups from a list of specific groups specified in a whitelist file oc adm groups prune --whitelist=/path/to/whitelist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm # Prune all orphaned groups from a list of specific groups specified in a whitelist oc adm groups prune groups/group_name groups/other_name --sync-config=/path/to/ldap-sync-config.yaml --confirm ---- ==== == oc adm groups remove-users Remove users from a group ==== [options="nowrap"] ---- # Remove user1 and user2 from my-group oc adm groups remove-users my-group user1 user2 ---- ==== == oc adm groups sync Sync OpenShift groups with records from an external provider. ==== [options="nowrap"] ---- # Sync all groups from an LDAP server oc adm groups sync --sync-config=/path/to/ldap-sync-config.yaml --confirm # Sync all groups except the ones from the blacklist file from an LDAP server oc adm groups sync --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm # Sync specific groups specified in a whitelist file with an LDAP server oc adm groups sync --whitelist=/path/to/whitelist.txt --sync-config=/path/to/sync-config.yaml --confirm # Sync all OpenShift Groups that have been synced previously with an LDAP server oc adm groups sync --type=openshift --sync-config=/path/to/ldap-sync-config.yaml --confirm # Sync specific OpenShift Groups if they have been synced previously with an LDAP server oc adm groups sync groups/group1 groups/group2 groups/group3 --sync-config=/path/to/sync-config.yaml --confirm ---- ==== == oc adm ipfailover Install an IP failover group to a set of nodes ==== [options="nowrap"] ---- # Check the default IP failover configuration ("ipfailover"): oc adm ipfailover # See what the IP failover configuration would look like if it is created: oc adm ipfailover -o json # Create an IP failover configuration if it does not already exist: oc adm ipfailover ipf --virtual-ips="10.1.1.1-4" --create # Create an IP failover configuration on a selection of nodes labeled # "router=us-west-ha" (on 4 nodes with 7 virtual IPs monitoring a service # listening on port 80, such as the router process). oc adm ipfailover ipfailover --selector="router=us-west-ha" --virtual-ips="1.2.3.4,10.1.1.100-104,5.6.7.8" --watch-port=80 --replicas=4 --create # Use a different IP failover config image and see the configuration: oc adm ipfailover ipf-alt --selector="hagroup=us-west-ha" --virtual-ips="1.2.3.4" -o yaml --images=myrepo/myipfailover:mytag ---- ==== == oc adm manage-node Manage nodes - list pods, evacuate, or mark ready ==== [options="nowrap"] ---- # Block accepting any pods on given nodes oc adm manage-node <mynode> --schedulable=false # Mark selected nodes as schedulable oc adm manage-node --selector="<env=dev>" --schedulable=true # Migrate selected pods oc adm manage-node <mynode> --evacuate --pod-selector="<service=myapp>" # Show pods that will be migrated oc adm manage-node <mynode> --evacuate --dry-run --pod-selector="<service=myapp>" # List all pods on given nodes oc adm manage-node <mynode1> <mynode2> --list-pods ---- ==== == oc adm pod-network join-projects Join project network ==== [options="nowrap"] ---- # Allow project p2 to use project p1 network oc adm pod-network join-projects --to=<p1> <p2> # Allow all projects with label name=top-secret to use project p1 network oc adm pod-network join-projects --to=<p1> --selector='name=top-secret' ---- ==== == oc adm pod-network make-projects-global Make project network global ==== [options="nowrap"] ---- # Allow project p1 to access all pods in the cluster and vice versa oc adm pod-network make-projects-global <p1> # Allow all projects with label name=share to access all pods in the cluster and vice versa oc adm pod-network make-projects-global --selector='name=share' ---- ==== == oc adm policy add-role-to-user Add users or serviceaccounts to a role in the current project ==== [options="nowrap"] ---- # Add the 'view' role to user1 in the current project oc adm policy add-role-to-user view user1 # Add the 'edit' role to serviceaccount1 in the current project oc adm policy add-role-to-user edit -z serviceaccount1 ---- ==== == oc adm policy add-scc-to-user Add users or serviceaccount to a security context constraint ==== [options="nowrap"] ---- # Add the 'restricted' security context contraint to user1 and user2 oc adm policy add-scc-to-user restricted user1 user2 # Add the 'privileged' security context contraint to the service account serviceaccount1 in the current namespace oc adm policy add-scc-to-user privileged -z serviceaccount1 ---- ==== == oc adm policy reconcile-cluster-role-bindings Update cluster role bindings to match the recommended bootstrap policy ==== [options="nowrap"] ---- # Display the names of cluster role bindings that would be modified oc adm policy reconcile-cluster-role-bindings -o name # Display the cluster role bindings that would be modified, removing any extra subjects oc adm policy reconcile-cluster-role-bindings --additive-only=false # Update cluster role bindings that don't match the current defaults oc adm policy reconcile-cluster-role-bindings --confirm # Update cluster role bindings that don't match the current defaults, avoid adding roles to the system:authenticated group oc adm policy reconcile-cluster-role-bindings --confirm --exclude-groups=system:authenticated # Update cluster role bindings that don't match the current defaults, removing any extra subjects from the binding oc adm policy reconcile-cluster-role-bindings --confirm --additive-only=false ---- ==== == oc adm policy reconcile-cluster-roles Update cluster roles to match the recommended bootstrap policy ==== [options="nowrap"] ---- # Display the names of cluster roles that would be modified oc adm policy reconcile-cluster-roles -o name # Add missing permissions to cluster roles that don't match the current defaults oc adm policy reconcile-cluster-roles --confirm # Add missing permissions and remove extra permissions from # cluster roles that don't match the current defaults oc adm policy reconcile-cluster-roles --additive-only=false --confirm # Display the union of the default and modified cluster roles oc adm policy reconcile-cluster-roles --additive-only ---- ==== == oc adm policy reconcile-sccs Replace cluster SCCs to match the recommended bootstrap policy ==== [options="nowrap"] ---- # Display the cluster SCCs that would be modified oc adm policy reconcile-sccs # Update cluster SCCs that don't match the current defaults preserving additional grants # for users and group and keeping any priorities that are already set oc adm policy reconcile-sccs --confirm # Replace existing users, groups, and priorities that do not match defaults oc adm policy reconcile-sccs --additive-only=false --confirm ---- ==== == oc adm prune builds Remove old completed and failed builds ==== [options="nowrap"] ---- # Dry run deleting older completed and failed builds and also including # all builds whose associated BuildConfig no longer exists oc adm prune builds --orphans # To actually perform the prune operation, the confirm flag must be appended oc adm prune builds --orphans --confirm ---- ==== == oc adm prune deployments Remove old completed and failed deployments ==== [options="nowrap"] ---- # Dry run deleting all but the last complete deployment for every deployment config oc adm prune deployments --keep-complete=1 # To actually perform the prune operation, the confirm flag must be appended oc adm prune deployments --keep-complete=1 --confirm ---- ==== == oc adm prune groups Prune OpenShift groups referencing missing records on an external provider. ==== [options="nowrap"] ---- # Prune all orphaned groups oc adm prune groups --sync-config=/path/to/ldap-sync-config.yaml --confirm # Prune all orphaned groups except the ones from the blacklist file oc adm prune groups --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm # Prune all orphaned groups from a list of specific groups specified in a whitelist file oc adm prune groups --whitelist=/path/to/whitelist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm # Prune all orphaned groups from a list of specific groups specified in a whitelist oc adm prune groups groups/group_name groups/other_name --sync-config=/path/to/ldap-sync-config.yaml --confirm ---- ==== == oc adm prune images Remove unreferenced images ==== [options="nowrap"] ---- # See, what the prune command would delete if only images more than an hour old and obsoleted # by 3 newer revisions under the same tag were considered. oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m # To actually perform the prune operation, the confirm flag must be appended oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m --confirm ---- ==== == oc adm registry Install the integrated Docker registry ==== [options="nowrap"] ---- # Check if default Docker registry ("docker-registry") has been created oc adm registry --dry-run # See what the registry will look like if created oc adm registry -o yaml # Create a registry with two replicas if it does not exist oc adm registry --replicas=2 # Use a different registry image oc adm registry --images=myrepo/docker-registry:mytag ---- ==== == oc adm router Install a router ==== [options="nowrap"] ---- # Check the default router ("router") oc adm router --dry-run # See what the router would look like if created oc adm router -o yaml # Create a router with two replicas if it does not exist oc adm router router-west --replicas=2 # Use a different router image oc adm router region-west --images=myrepo/somerouter:mytag # Run the router with a hint to the underlying implementation to _not_ expose statistics. oc adm router router-west --stats-port=0 ---- ==== == oc annotate Update the annotations on a resource ==== [options="nowrap"] ---- # Update pod 'foo' with the annotation 'description' and the value 'my frontend'. # If the same annotation is set multiple times, only the last value will be applied oc annotate pods foo description='my frontend' # Update pod 'foo' with the annotation 'description' and the value # 'my frontend running nginx', overwriting any existing value. oc annotate --overwrite pods foo description='my frontend running nginx' # Update all pods in the namespace oc annotate pods --all description='my frontend running nginx' # Update pod 'foo' only if the resource is unchanged from version 1. oc annotate pods foo description='my frontend running nginx' --resource-version=1 # Update pod 'foo' by removing an annotation named 'description' if it exists. # Does not require the --overwrite flag. oc annotate pods foo description- ---- ==== == oc apply Apply a configuration to a resource by filename or stdin ==== [options="nowrap"] ---- # Apply the configuration in pod.json to a pod. oc apply -f ./pod.json # Apply the JSON passed into stdin to a pod. cat pod.json | oc apply -f - ---- ==== == oc attach Attach to a running container. ==== [options="nowrap"] ---- # Get output from running pod 123456-7890, using the first container by default oc attach 123456-7890 # Get output from ruby-container from pod 123456-7890 oc attach 123456-7890 -c ruby-container # Switch to raw terminal mode, sends stdin to 'bash' in ruby-container from pod 123456-780 # and sends stdout/stderr from 'bash' back to the client oc attach 123456-7890 -c ruby-container -i -t ---- ==== == oc autoscale Autoscale a deployment config or replication controller ==== [options="nowrap"] ---- # Auto scale a deployment config "foo", with the number of pods between 2 to 10, target CPU utilization at a default value that server applies: oc autoscale dc/foo --min=2 --max=10 # Auto scale a replication controller "foo", with the number of pods between 1 to 5, target CPU utilization at 80% oc autoscale rc/foo --max=5 --cpu-percent=80 ---- ==== == oc cancel-build Cancel running, pending, or new builds ==== [options="nowrap"] ---- # Cancel the build with the given name oc cancel-build ruby-build-2 # Cancel the named build and print the build logs oc cancel-build ruby-build-2 --dump-logs # Cancel the named build and create a new one with the same parameters oc cancel-build ruby-build-2 --restart # Cancel multiple builds oc cancel-build ruby-build-1 ruby-build-2 ruby-build-3 # Cancel all builds created from 'ruby-build' build configuration that are in 'new' state oc cancel-build bc/ruby-build --state=new ---- ==== == oc cluster down Stop OpenShift on Docker ==== [options="nowrap"] ---- # Stop local Docker cluster oc cluster down # Stop cluster running on Docker machine 'mymachine' oc cluster down --docker-machine=mymachine ---- ==== == oc cluster up Start OpenShift on Docker with reasonable defaults ==== [options="nowrap"] ---- # Start OpenShift on a new docker machine named 'openshift' oc cluster up --create-machine # Start OpenShift using a specific public host name oc cluster up --public-hostname=my.address.example.com # Start OpenShift and preserve data and config between restarts oc cluster up --host-data-dir=/mydata --use-existing-config # Use a different set of images oc cluster up --image="registry.example.com/origin" --version="v1.1" ---- ==== == oc config Change configuration files for the client ==== [options="nowrap"] ---- # Change the config context to use oc config use-context my-context # Set the value of a config preference oc config set preferences.some true ---- ==== == oc config current-context Displays the current-context ==== [options="nowrap"] ---- # Display the current-context oc config current-context ---- ==== == oc config set-cluster Sets a cluster entry in kubeconfig ==== [options="nowrap"] ---- # Set only the server field on the e2e cluster entry without touching other values. oc config set-cluster e2e --server=https://1.2.3.4 # Embed certificate authority data for the e2e cluster entry oc config set-cluster e2e --certificate-authority=~/.kube/e2e/kubernetes.ca.crt # Disable cert checking for the dev cluster entry oc config set-cluster e2e --insecure-skip-tls-verify=true ---- ==== == oc config set-context Sets a context entry in kubeconfig ==== [options="nowrap"] ---- # Set the user field on the gce context entry without touching other values oc config set-context gce --user=cluster-admin ---- ==== == oc config set-credentials Sets a user entry in kubeconfig ==== [options="nowrap"] ---- # Set only the "client-key" field on the "cluster-admin" # entry, without touching other values: oc config set-credentials cluster-admin --client-key=~/.kube/admin.key # Set basic auth for the "cluster-admin" entry oc config set-credentials cluster-admin --username=admin --password=uXFGweU9l35qcif # Embed client certificate data in the "cluster-admin" entry oc config set-credentials cluster-admin --client-certificate=~/.kube/admin.crt --embed-certs=true ---- ==== == oc config view Displays merged kubeconfig settings or a specified kubeconfig file. ==== [options="nowrap"] ---- # Show Merged kubeconfig settings. oc config view # Get the password for the e2e user oc config view -o jsonpath='{.users[?(@.name == "e2e")].user.password}' ---- ==== == oc convert Convert config files between different API versions ==== [options="nowrap"] ---- # Convert 'pod.yaml' to latest version and print to stdout. oc convert -f pod.yaml # Convert the live state of the resource specified by 'pod.yaml' to the latest version # and print to stdout in json format. oc convert -f pod.yaml --local -o json # Convert all files under current directory to latest version and create them all. oc convert -f . | kubectl create -f - ---- ==== == oc create Create a resource by filename or stdin ==== [options="nowrap"] ---- # Create a pod using the data in pod.json. oc create -f pod.json # Create a pod based on the JSON passed into stdin. cat pod.json | oc create -f - ---- ==== == oc create configmap Create a configMap from a local file, directory or literal value. ==== [options="nowrap"] ---- # Create a new configmap named my-config with keys for each file in folder bar oc create configmap generic my-config --from-file=path/to/bar # Create a new configmap named my-config with specified keys instead of names on disk oc create configmap generic my-config --from-file=ssh-privatekey=~/.ssh/id_rsa --from-file=ssh-publickey=~/.ssh/id_rsa.pub # Create a new configMap named my-config with key1=config1 and key2=config2 oc create configmap generic my-config --from-literal=key1=config1 --from-literal=key2=config2 ---- ==== == oc create deploymentconfig Create deployment config with default options that uses a given image. ==== [options="nowrap"] ---- # Create an nginx deployment config named my-nginx oc create deploymentconfig my-nginx --image=nginx ---- ==== == oc create identity Manually create an identity (only needed if automatic creation is disabled). ==== [options="nowrap"] ---- # Create an identity with identity provider "acme_ldap" and the identity provider username "adamjones" oc create identity acme_ldap:adamjones ---- ==== == oc create namespace Create a namespace with the specified name. ==== [options="nowrap"] ---- # Create a new namespace named my-namespace oc create namespace my-namespace ---- ==== == oc create policybinding Create a policy binding that references the policy in the targetted namespace. ==== [options="nowrap"] ---- # Create a policy binding in namespace "foo" that references the policy in namespace "bar" oc create policybinding bar -n foo ---- ==== == oc create route edge Create a route that uses edge TLS termination ==== [options="nowrap"] ---- # Create an edge route named "my-route" that exposes frontend service. oc create route edge my-route --service=frontend # Create an edge route that exposes the frontend service and specify a path. # If the route name is omitted, the service name will be re-used. oc create route edge --service=frontend --path /assets ---- ==== == oc create route passthrough Create a route that uses passthrough TLS termination ==== [options="nowrap"] ---- # Create a passthrough route named "my-route" that exposes the frontend service. oc create route passthrough my-route --service=frontend # Create a passthrough route that exposes the frontend service and specify # a hostname. If the route name is omitted, the service name will be re-used. oc create route passthrough --service=frontend --hostname=www.example.com ---- ==== == oc create route reencrypt Create a route that uses reencrypt TLS termination ==== [options="nowrap"] ---- # Create a route named "my-route" that exposes the frontend service. oc create route reencrypt my-route --service=frontend --dest-ca-cert cert.cert # Create a reencrypt route that exposes the frontend service and re-use # the service name as the route name. oc create route reencrypt --service=frontend --dest-ca-cert cert.cert ---- ==== == oc create secret docker-registry Create a secret for use with a Docker registry. ==== [options="nowrap"] ---- # If you don't already have a .dockercfg file, you can create a dockercfg secret directly by using: $ oc create secret docker-registry my-secret --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL ---- ==== == oc create secret generic Create a secret from a local file, directory or literal value. ==== [options="nowrap"] ---- # Create a new secret named my-secret with keys for each file in folder bar oc create secret generic my-secret --from-file=path/to/bar # Create a new secret named my-secret with specified keys instead of names on disk oc create secret generic my-secret --from-file=ssh-privatekey=~/.ssh/id_rsa --from-file=ssh-publickey=~/.ssh/id_rsa.pub # Create a new secret named my-secret with key1=supersecret and key2=topsecret oc create secret generic my-secret --from-literal=key1=supersecret --from-literal=key2=topsecret ---- ==== == oc create serviceaccount Create a service account with the specified name. ==== [options="nowrap"] ---- # Create a new service account named my-service-account $ oc create serviceaccount my-service-account ---- ==== == oc create user Manually create a user (only needed if automatic creation is disabled). ==== [options="nowrap"] ---- # Create a user with the username "ajones" and the display name "Adam Jones" oc create user ajones --full-name="Adam Jones" ---- ==== == oc create useridentitymapping Manually map an identity to a user. ==== [options="nowrap"] ---- # Map the identity "acme_ldap:adamjones" to the user "ajones" oc create useridentitymapping acme_ldap:adamjones ajones ---- ==== == oc debug Launch a new instance of a pod for debugging ==== [options="nowrap"] ---- # Debug a currently running deployment oc debug dc/test # Test running a deployment as a non-root user oc debug dc/test --as-user=1000000 # Debug a specific failing container by running the env command in the 'second' container oc debug dc/test -c second -- /bin/env # See the pod that would be created to debug oc debug dc/test -o yaml ---- ==== == oc delete Delete one or more resources ==== [options="nowrap"] ---- # Delete a pod using the type and ID specified in pod.json. oc delete -f pod.json # Delete a pod based on the type and ID in the JSON passed into stdin. cat pod.json | oc delete -f - # Delete pods and services with label name=myLabel. oc delete pods,services -l name=myLabel # Delete a pod with ID 1234-56-7890-234234-456456. oc delete pod 1234-56-7890-234234-456456 # Delete all resources associated with a running app, includes # buildconfig,deploymentconfig,service,imagestream,route and pod, # where 'appName' is listed in 'Labels' of 'oc describe [resource] [resource name]' output. oc delete all -l app=appName # Delete all pods oc delete pods --all ---- ==== == oc deploy View, start, cancel, or retry a deployment ==== [options="nowrap"] ---- # Display the latest deployment for the 'database' deployment config oc deploy database # Start a new deployment based on the 'database' oc deploy database --latest # Retry the latest failed deployment based on 'frontend' # The deployer pod and any hook pods are deleted for the latest failed deployment oc deploy frontend --retry # Cancel the in-progress deployment based on 'frontend' oc deploy frontend --cancel ---- ==== == oc describe Show details of a specific resource or group of resources ==== [options="nowrap"] ---- # Provide details about the ruby-22-centos7 image repository oc describe imageRepository ruby-22-centos7 # Provide details about the ruby-sample-build build configuration oc describe bc ruby-sample-build ---- ==== == oc edit Edit a resource on the server ==== [options="nowrap"] ---- # Edit the service named 'docker-registry': oc edit svc/docker-registry # Edit the DeploymentConfig named 'my-deployment': oc edit dc/my-deployment # Use an alternative editor OC_EDITOR="nano" oc edit dc/my-deployment # Edit the service 'docker-registry' in JSON using the v1beta3 API format: oc edit svc/docker-registry --output-version=v1beta3 -o json ---- ==== == oc env DEPRECATED: set env ==== [options="nowrap"] ---- # Update deployment 'registry' with a new environment variable oc env dc/registry STORAGE_DIR=/local # List the environment variables defined on a build config 'sample-build' oc env bc/sample-build --list # List the environment variables defined on all pods oc env pods --all --list # Output modified build config in YAML, and does not alter the object on the server oc env bc/sample-build STORAGE_DIR=/data -o yaml # Update all containers in all replication controllers in the project to have ENV=prod oc env rc --all ENV=prod # Remove the environment variable ENV from container 'c1' in all deployment configs oc env dc --all --containers="c1" ENV- # Remove the environment variable ENV from a deployment config definition on disk and # update the deployment config on the server oc env -f dc.json ENV- # Set some of the local shell environment into a deployment config on the server env | grep RAILS_ | oc env -e - dc/registry ---- ==== == oc ex dockerbuild Perform a direct Docker build ==== [options="nowrap"] ---- # Build the current directory into a single layer and tag oc dockerbuild . myimage:latest ---- ==== == oc exec Execute a command in a container. ==== [options="nowrap"] ---- # Get output from running 'date' in ruby-container from pod 123456-7890 oc exec -p 123456-7890 -c ruby-container date # Switch to raw terminal mode, sends stdin to 'bash' in ruby-container from pod 123456-780 and sends stdout/stderr from 'bash' back to the client oc exec -p 123456-7890 -c ruby-container -i -t -- bash -il ---- ==== == oc explain Documentation of resources. ==== [options="nowrap"] ---- # Get the documentation of the resource and its fields oc explain pods # Get the documentation of a specific field of a resource oc explain pods.spec.containers ---- ==== == oc export Export resources so they can be used elsewhere ==== [options="nowrap"] ---- # export the services and deployment configurations labeled name=test oc export svc,dc -l name=test # export all services to a template oc export service --as-template=test # export to JSON oc export service -o json # convert a file on disk to the latest API version (in YAML, the default) oc export -f a_v1beta3_service.json --output-version=v1 --exact ---- ==== == oc expose Expose a replicated application as a service or route ==== [options="nowrap"] ---- # Create a route based on service nginx. The new route will re-use nginx's labels oc expose service nginx # Create a route and specify your own label and route name oc expose service nginx -l name=myroute --name=fromdowntown # Create a route and specify a hostname oc expose service nginx --hostname=www.example.com # Expose a deployment configuration as a service and use the specified port oc expose dc ruby-hello-world --port=8080 # Expose a service as a route in the specified path oc expose service nginx --path=/nginx ---- ==== == oc get Display one or many resources ==== [options="nowrap"] ---- # List all pods in ps output format. oc get pods # List a single replication controller with specified ID in ps output format. oc get rc redis # List all pods and show more details about them. oc get -o wide pods # List a single pod in JSON output format. oc get -o json pod redis-pod # Return only the status value of the specified pod. oc get -o template pod redis-pod --template={{.currentState.status}} ---- ==== == oc import app.json Import an app.json definition into OpenShift ==== [options="nowrap"] ---- # Import a directory containing an app.json file $ oc import app.json -f . # Turn an app.json file into a template $ oc import app.json -f ./app.json -o yaml --as-template ---- ==== == oc import docker-compose Import a docker-compose.yml project into OpenShift ==== [options="nowrap"] ---- # Import a docker-compose.yml file into OpenShift oc import docker-compose -f ./docker-compose.yml # Turn a docker-compose.yml file into a template oc import docker-compose -f ./docker-compose.yml -o yaml --as-template ---- ==== == oc import-image Imports images from a Docker registry ==== [options="nowrap"] ---- oc import-image mystream ---- ==== == oc label Update the labels on a resource ==== [options="nowrap"] ---- # Update pod 'foo' with the label 'unhealthy' and the value 'true'. oc label pods foo unhealthy=true # Update pod 'foo' with the label 'status' and the value 'unhealthy', overwriting any existing value. oc label --overwrite pods foo status=unhealthy # Update all pods in the namespace oc label pods --all status=unhealthy # Update pod 'foo' only if the resource is unchanged from version 1. oc label pods foo status=unhealthy --resource-version=1 # Update pod 'foo' by removing a label named 'bar' if it exists. # Does not require the --overwrite flag. oc label pods foo bar- ---- ==== == oc login Log in to a server ==== [options="nowrap"] ---- # Log in interactively oc login # Log in to the given server with the given certificate authority file oc login localhost:8443 --certificate-authority=/path/to/cert.crt # Log in to the given server with the given credentials (will not prompt interactively) oc login localhost:8443 --username=myuser --password=mypass ---- ==== == oc logout End the current server session ==== [options="nowrap"] ---- # Logout oc logout ---- ==== == oc logs Print the logs for a resource. ==== [options="nowrap"] ---- # Start streaming the logs of the most recent build of the openldap build config. oc logs -f bc/openldap # Start streaming the logs of the latest deployment of the mysql deployment config. oc logs -f dc/mysql # Get the logs of the first deployment for the mysql deployment config. Note that logs # from older deployments may not exist either because the deployment was successful # or due to deployment pruning or manual deletion of the deployment. oc logs --version=1 dc/mysql # Return a snapshot of ruby-container logs from pod backend. oc logs backend -c ruby-container # Start streaming of ruby-container logs from pod backend. oc logs -f pod/backend -c ruby-container ---- ==== == oc new-app Create a new application ==== [options="nowrap"] ---- # List all local templates and image streams that can be used to create an app oc new-app --list # Search all templates, image streams, and Docker images for the ones that match "ruby" oc new-app --search ruby # Create an application based on the source code in the current git repository (with a public remote) # and a Docker image oc new-app . --docker-image=repo/langimage # Create a Ruby application based on the provided [image]~[source code] combination oc new-app centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git # Use the public Docker Hub MySQL image to create an app. Generated artifacts will be labeled with db=mysql oc new-app mysql MYSQL_USER=user MYSQL_PASSWORD=pass MYSQL_DATABASE=testdb -l db=mysql # Use a MySQL image in a private registry to create an app and override application artifacts' names oc new-app --docker-image=myregistry.com/mycompany/mysql --name=private # Create an application from a remote repository using its beta4 branch oc new-app https://github.com/openshift/ruby-hello-world#beta4 # Create an application based on a stored template, explicitly setting a parameter value oc new-app --template=ruby-helloworld-sample --param=MYSQL_USER=admin # Create an application from a remote repository and specify a context directory oc new-app https://github.com/youruser/yourgitrepo --context-dir=src/build # Create an application based on a template file, explicitly setting a parameter value oc new-app --file=./example/myapp/template.json --param=MYSQL_USER=admin # Search for "mysql" in all image repositories and stored templates oc new-app --search mysql # Search for "ruby", but only in stored templates (--template, --image and --docker-image # can be used to filter search results) oc new-app --search --template=ruby # Search for "ruby" in stored templates and print the output as an YAML oc new-app --search --template=ruby --output=yaml ---- ==== == oc new-build Create a new build configuration ==== [options="nowrap"] ---- # Create a build config based on the source code in the current git repository (with a public # remote) and a Docker image oc new-build . --docker-image=repo/langimage # Create a NodeJS build config based on the provided [image]~[source code] combination oc new-build openshift/nodejs-010-centos7~https://github.com/openshift/nodejs-ex.git # Create a build config from a remote repository using its beta2 branch oc new-build https://github.com/openshift/ruby-hello-world#beta2 # Create a build config using a Dockerfile specified as an argument oc new-build -D $'FROM centos:7\nRUN yum install -y httpd' # Create a build config from a remote repository and add custom environment variables oc new-build https://github.com/openshift/ruby-hello-world RACK_ENV=development # Create a build config from a remote repository and inject the npmrc into a build oc new-build https://github.com/openshift/ruby-hello-world --build-secret npmrc:.npmrc # Create a build config that gets its input from a remote repository and another Docker image oc new-build https://github.com/openshift/ruby-hello-world --source-image=openshift/jenkins-1-centos7 --source-image-path=/var/lib/jenkins:tmp ---- ==== == oc new-project Request a new project ==== [options="nowrap"] ---- # Create a new project with minimal information oc new-project web-team-dev # Create a new project with a display name and description oc new-project web-team-dev --display-name="Web Team Development" --description="Development project for the web team." ---- ==== == oc patch Update field(s) of a resource using strategic merge patch. ==== [options="nowrap"] ---- # Partially update a node using strategic merge patch oc patch node k8s-node-1 -p '{"spec":{"unschedulable":true}}' ---- ==== == oc policy add-role-to-user Add users or serviceaccounts to a role in the current project ==== [options="nowrap"] ---- # Add the 'view' role to user1 in the current project oc policy add-role-to-user view user1 # Add the 'edit' role to serviceaccount1 in the current project oc policy add-role-to-user edit -z serviceaccount1 ---- ==== == oc port-forward Forward one or more local ports to a pod. ==== [options="nowrap"] ---- # Listens on ports 5000 and 6000 locally, forwarding data to/from ports 5000 and 6000 in the pod oc port-forward -p mypod 5000 6000 # Listens on port 8888 locally, forwarding to 5000 in the pod oc port-forward -p mypod 8888:5000 # Listens on a random port locally, forwarding to 5000 in the pod oc port-forward -p mypod :5000 # Listens on a random port locally, forwarding to 5000 in the pod oc port-forward -p mypod 0:5000 ---- ==== == oc process Process a template into list of resources ==== [options="nowrap"] ---- # Convert template.json file into resource list and pass to create oc process -f template.json | oc create -f - # Process template while passing a user-defined label oc process -f template.json -l name=mytemplate # Convert stored template into resource list oc process foo # Convert stored template into resource list by setting/overriding parameter values oc process foo PARM1=VALUE1 PARM2=VALUE2 # Convert template stored in different namespace into a resource list oc process openshift//foo # Convert template.json into resource list cat template.json | oc process -f - # Combine multiple templates into single resource list cat template.json second_template.json | oc process -f - ---- ==== == oc project Switch to another project ==== [options="nowrap"] ---- # Switch to 'myapp' project oc project myapp # Display the project currently in use oc project ---- ==== == oc proxy Run a proxy to the Kubernetes API server ==== [options="nowrap"] ---- # Run a proxy to kubernetes apiserver on port 8011, serving static content from ./local/www/ oc proxy --port=8011 --www=./local/www/ # Run a proxy to kubernetes apiserver, changing the api prefix to k8s-api # This makes e.g. the pods api available at localhost:8011/k8s-api/v1beta3/pods/ oc proxy --api-prefix=k8s-api ---- ==== == oc replace Replace a resource by filename or stdin. ==== [options="nowrap"] ---- # Replace a pod using the data in pod.json. oc replace -f pod.json # Replace a pod based on the JSON passed into stdin. cat pod.json | oc replace -f - # Force replace, delete and then re-create the resource oc replace --force -f pod.json ---- ==== == oc rollback Revert part of an application back to a previous deployment ==== [options="nowrap"] ---- # Perform a rollback to the last successfully completed deployment for a deploymentconfig oc rollback frontend # See what a rollback to version 3 will look like, but don't perform the rollback oc rollback frontend --to-version=3 --dry-run # Perform a rollback to a specific deployment oc rollback frontend-2 # Perform the rollback manually by piping the JSON of the new config back to oc oc rollback frontend -o json | oc replace dc/frontend -f - ---- ==== == oc rsh Start a shell session in a pod ==== [options="nowrap"] ---- # Open a shell session on the first container in pod 'foo' oc rsh foo # Run the command 'cat /etc/resolv.conf' inside pod 'foo' oc rsh foo cat /etc/resolv.conf # See the configuration of your internal registry oc rsh dc/docker-registry cat config.yml # Open a shell session on the container named 'index' inside a pod of your job # oc rsh -c index job/sheduled ---- ==== == oc rsync Copy files between local filesystem and a pod ==== [options="nowrap"] ---- # Synchronize a local directory with a pod directory oc rsync ./local/dir/ POD:/remote/dir # Synchronize a pod directory with a local directory oc rsync POD:/remote/dir/ ./local/dir ---- ==== == oc run Run a particular image on the cluster. ==== [options="nowrap"] ---- # Starts a single instance of nginx. oc run nginx --image=nginx # Starts a replicated instance of nginx. oc run nginx --image=nginx --replicas=5 # Dry run. Print the corresponding API objects without creating them. oc run nginx --image=nginx --dry-run # Start a single instance of nginx, but overload the spec of the replication # controller with a partial set of values parsed from JSON. oc run nginx --image=nginx --overrides='{ "apiVersion": "v1", "spec": { ... } }' # Start a single instance of nginx and keep it in the foreground, don't restart it if it exits. oc run -i --tty nginx --image=nginx --restart=Never ---- ==== == oc scale Change the number of pods in a deployment ==== [options="nowrap"] ---- # Scale replication controller named 'foo' to 3. oc scale --replicas=3 replicationcontrollers foo # If the replication controller named foo's current size is 2, scale foo to 3. oc scale --current-replicas=2 --replicas=3 replicationcontrollers foo # Scale the latest deployment of 'bar'. In case of no deployment, bar's template # will be scaled instead. oc scale --replicas=10 dc bar ---- ==== == oc secrets add Add secrets to a ServiceAccount ==== [options="nowrap"] ---- // To use your secret inside of a pod or as a push, pull, or source secret for a build, you must add a 'mount' secret to your service account like this: oc secrets add serviceaccount/sa-name secrets/secret-name secrets/another-secret-name // To use your secret as an image pull secret, you must add a 'pull' secret to your service account like this: oc secrets add serviceaccount/sa-name secrets/secret-name --for=pull // To use your secret for image pulls or inside a pod: oc secrets add serviceaccount/sa-name secrets/secret-name --for=pull,mount ---- ==== == oc secrets new Create a new secret based on a key file or on files within a directory ==== [options="nowrap"] ---- # Create a new secret named my-secret with a key named ssh-privatekey oc secrets new my-secret ~/.ssh/ssh-privatekey # Create a new secret named my-secret with keys named ssh-privatekey and ssh-publickey instead of the names of the keys on disk oc secrets new my-secret ssh-privatekey=~/.ssh/id_rsa ssh-publickey=~/.ssh/id_rsa.pub # Create a new secret named my-secret with keys for each file in the folder "bar" oc secrets new my-secret path/to/bar # Create a new .dockercfg secret named my-secret oc secrets new my-secret path/to/.dockercfg # Create a new .docker/config.json secret named my-secret oc secrets new my-secret .dockerconfigjson=path/to/.docker/config.json ---- ==== == oc secrets new-basicauth Create a new secret for basic authentication ==== [options="nowrap"] ---- // If your basic authentication method requires only username and password or token, add it by using: oc secrets new-basicauth SECRET --username=USERNAME --password=PASSWORD // If your basic authentication method requires also CA certificate, add it by using: oc secrets new-basicauth SECRET --username=USERNAME --password=PASSWORD --ca-cert=FILENAME // If you do already have a .gitconfig file needed for authentication, you can create a gitconfig secret by using: oc secrets new SECRET path/to/.gitconfig ---- ==== == oc secrets new-dockercfg Create a new dockercfg secret ==== [options="nowrap"] ---- # Create a new .dockercfg secret: oc secrets new-dockercfg SECRET --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL # Create a new .dockercfg secret from an existing file: oc secrets new SECRET path/to/.dockercfg # Create a new .docker/config.json secret from an existing file: oc secrets new SECRET .dockerconfigjson=path/to/.docker/config.json # To add new secret to 'imagePullSecrets' for the node, or 'secrets' for builds, use: oc edit SERVICE_ACCOUNT ---- ==== == oc secrets new-sshauth Create a new secret for SSH authentication ==== [options="nowrap"] ---- // If your SSH authentication method requires only private SSH key, add it by using: oc secrets new-sshauth SECRET --ssh-privatekey=FILENAME // If your SSH authentication method requires also CA certificate, add it by using: oc secrets new-sshauth SECRET --ssh-privatekey=FILENAME --ca-cert=FILENAME // If you do already have a .gitconfig file needed for authentication, you can create a gitconfig secret by using: oc secrets new SECRET path/to/.gitconfig ---- ==== == oc serviceaccounts get-token Get a token assigned to a service account. ==== [options="nowrap"] ---- # Get the service account token from service account 'default' oc serviceaccounts get-token 'default' ---- ==== == oc serviceaccounts new-token Generate a new token for a service account. ==== [options="nowrap"] ---- # Generate a new token for service account 'default' oc serviceaccounts new-token 'default' # Generate a new token for service account 'default' and apply # labels 'foo' and 'bar' to the new token for identification # oc serviceaccounts new-token 'default' --labels foo=foo-value,bar=bar-value ---- ==== == oc set build-hook Update a build hook on a build config ==== [options="nowrap"] ---- # Clear post-commit hook on a build config oc set build-hook bc/mybuild --post-commit --remove # Set the post-commit hook to execute a test suite using a new entrypoint oc set build-hook bc/mybuild --post-commit --command -- /bin/bash -c /var/lib/test-image.sh # Set the post-commit hook to execute a shell script oc set build-hook bc/mybuild --post-commit --script="/var/lib/test-image.sh param1 param2 && /var/lib/done.sh" # Set the post-commit hook as a set of arguments to the default image entrypoint oc set build-hook bc/mybuild --post-commit -- arg1 arg2 ---- ==== == oc set env Update environment variables on a pod template ==== [options="nowrap"] ---- # Update deployment 'registry' with a new environment variable oc set env dc/registry STORAGE_DIR=/local # List the environment variables defined on a build config 'sample-build' oc set env bc/sample-build --list # List the environment variables defined on all pods oc set env pods --all --list # Output modified build config in YAML, and does not alter the object on the server oc set env bc/sample-build STORAGE_DIR=/data -o yaml # Update all containers in all replication controllers in the project to have ENV=prod oc set env rc --all ENV=prod # Remove the environment variable ENV from container 'c1' in all deployment configs oc set env dc --all --containers="c1" ENV- # Remove the environment variable ENV from a deployment config definition on disk and # update the deployment config on the server oc set env -f dc.json ENV- # Set some of the local shell environment into a deployment config on the server env | grep RAILS_ | oc set env -e - dc/registry ---- ==== == oc set probe Update a probe on a pod template ==== [options="nowrap"] ---- # Clear both readiness and liveness probes off all containers oc set probe dc/registry --remove --readiness --liveness # Set an exec action as a liveness probe to run 'echo ok' oc set probe dc/registry --liveness -- echo ok # Set a readiness probe to try to open a TCP socket on 3306 oc set probe rc/mysql --readiness --open-tcp=3306 # Set an HTTP readiness probe for port 8080 and path /healthz over HTTP on the pod IP oc set probe dc/webapp --readiness --get-url=http://:8080/healthz # Set an HTTP readiness probe over HTTPS on 127.0.0.1 for a hostNetwork pod oc set probe dc/router --readiness --get-url=https://127.0.0.1:1936/stats # Set only the initial-delay-seconds field on all deployments oc set probe dc --all --readiness --initial-delay-seconds=30 ---- ==== == oc set triggers Update the triggers on a build or deployment config ==== [options="nowrap"] ---- # Print the triggers on the registry oc set triggers dc/registry # Set all triggers to manual oc set triggers dc/registry --manual # Enable all automatic triggers oc set triggers dc/registry --auto # Reset the GitHub webhook on a build to a new, generated secret oc set triggers bc/webapp --from-github oc set triggers bc/webapp --from-webhook # Remove all triggers oc set triggers bc/webapp --remove-all # Stop triggering on config change oc set triggers dc/registry --from-config --remove # Add an image trigger to a build config oc set triggers bc/webapp --from-image=namespace1/image:latest ---- ==== == oc set volumes Update volumes on a pod template ==== [options="nowrap"] ---- # List volumes defined on all deployment configs in the current project oc set volume dc --all # Add a new empty dir volume to deployment config (dc) 'registry' mounted under # /var/lib/registry oc set volume dc/registry --add --mount-path=/var/lib/registry # Use an existing persistent volume claim (pvc) to overwrite an existing volume 'v1' oc set volume dc/registry --add --name=v1 -t pvc --claim-name=pvc1 --overwrite # Remove volume 'v1' from deployment config 'registry' oc set volume dc/registry --remove --name=v1 # Create a new persistent volume claim that overwrites an existing volume 'v1' oc set volume dc/registry --add --name=v1 -t pvc --claim-size=1G --overwrite # Change the mount point for volume 'v1' to /data oc set volume dc/registry --add --name=v1 -m /data --overwrite # Modify the deployment config by removing volume mount "v1" from container "c1" # (and by removing the volume "v1" if no other containers have volume mounts that reference it) oc set volume dc/registry --remove --name=v1 --containers=c1 # Add new volume based on a more complex volume source (Git repo, AWS EBS, GCE PD, # Ceph, Gluster, NFS, ISCSI, ...) oc set volume dc/registry --add -m /repo --source=<json-string> ---- ==== == oc start-build Start a new build ==== [options="nowrap"] ---- # Starts build from build config "hello-world" oc start-build hello-world # Starts build from a previous build "hello-world-1" oc start-build --from-build=hello-world-1 # Use the contents of a directory as build input oc start-build hello-world --from-dir=src/ # Send the contents of a Git repository to the server from tag 'v2' oc start-build hello-world --from-repo=../hello-world --commit=v2 # Start a new build for build config "hello-world" and watch the logs until the build # completes or fails. oc start-build hello-world --follow # Start a new build for build config "hello-world" and wait until the build completes. It # exits with a non-zero return code if the build fails. oc start-build hello-world --wait ---- ==== == oc status Show an overview of the current project ==== [options="nowrap"] ---- # See an overview of the current project. oc status # Export the overview of the current project in an svg file. oc status -o dot | dot -T svg -o project.svg # See an overview of the current project including details for any identified issues. oc status -v ---- ==== == oc tag Tag existing images into image streams ==== [options="nowrap"] ---- # Tag the current image for the image stream 'openshift/ruby' and tag '2.0' into the image stream 'yourproject/ruby with tag 'tip'. oc tag openshift/ruby:2.0 yourproject/ruby:tip # Tag a specific image. oc tag openshift/ruby@sha256:6b646fa6bf5e5e4c7fa41056c27910e679c03ebe7f93e361e6515a9da7e258cc yourproject/ruby:tip # Tag an external Docker image. oc tag --source=docker openshift/origin:latest yourproject/ruby:tip # Remove the specified spec tag from an image stream. oc tag openshift/origin:latest -d ---- ==== == oc types An introduction to concepts and types ==== [options="nowrap"] ---- # View all projects you have access to oc get projects # See a list of all services in the current project oc get svc # Describe a deployment configuration in detail oc describe dc mydeploymentconfig # Show the images tagged into an image stream oc describe is ruby-centos7 ---- ==== == oc volumes DEPRECATED: set volume ==== [options="nowrap"] ---- # List volumes defined on all deployment configs in the current project oc volume dc --all # Add a new empty dir volume to deployment config (dc) 'registry' mounted under # /var/lib/registry oc volume dc/registry --add --mount-path=/var/lib/registry # Use an existing persistent volume claim (pvc) to overwrite an existing volume 'v1' oc volume dc/registry --add --name=v1 -t pvc --claim-name=pvc1 --overwrite # Remove volume 'v1' from deployment config 'registry' oc volume dc/registry --remove --name=v1 # Create a new persistent volume claim that overwrites an existing volume 'v1' oc volume dc/registry --add --name=v1 -t pvc --claim-size=1G --overwrite # Change the mount point for volume 'v1' to /data oc volume dc/registry --add --name=v1 -m /data --overwrite # Modify the deployment config by removing volume mount "v1" from container "c1" # (and by removing the volume "v1" if no other containers have volume mounts that reference it) oc volume dc/registry --remove --name=v1 --containers=c1 # Add new volume based on a more complex volume source (Git repo, AWS EBS, GCE PD, # Ceph, Gluster, NFS, ISCSI, ...) oc volume dc/registry --add -m /repo --source=<json-string> ---- ====