1. origin
  2. docs
  3. generated
  4. oadm_by_example_content.adoc
Raw Blame History 
:toc: macro
:toc-title:

toc::[]


== oadm build-chain
Output the inputs and dependencies of your builds

====

[options="nowrap"]
----
  # Build the dependency tree for the 'latest' tag in <image-stream>
  $ oadm build-chain <image-stream>

  # Build the dependency tree for 'v2' tag in dot format and visualize it via the dot utility
  $ oadm build-chain <image-stream>:v2 -o dot | dot -T svg -o deps.svg

  # Build the dependency tree across all namespaces for the specified image stream tag found in 'test' namespace
  $ oadm build-chain <image-stream> -n test --all
----
====


== oadm config
Change configuration files for the client

====

[options="nowrap"]
----
  # Change the config context to use
  oadm config use-context my-context
  
  # Set the value of a config preference
  oadm config set preferences.some true
----
====


== oadm config set-cluster
Sets a cluster entry in kubeconfig

====

[options="nowrap"]
----
  # Set only the server field on the e2e cluster entry without touching other values.
  $ oadm config set-cluster e2e --server=https://1.2.3.4
  
  # Embed certificate authority data for the e2e cluster entry
  $ oadm config set-cluster e2e --certificate-authority=~/.kube/e2e/kubernetes.ca.crt
  
  # Disable cert checking for the dev cluster entry
  $ oadm config set-cluster e2e --insecure-skip-tls-verify=true
----
====


== oadm config set-context
Sets a context entry in kubeconfig

====

[options="nowrap"]
----
  # Set the user field on the gce context entry without touching other values
  $ oadm config set-context gce --user=cluster-admin
----
====


== oadm config set-credentials
Sets a user entry in kubeconfig

====

[options="nowrap"]
----
  # Set only the "client-key" field on the "cluster-admin"
  # entry, without touching other values:
  $ oadm config set-credentials cluster-admin --client-key=~/.kube/admin.key
  
  # Set basic auth for the "cluster-admin" entry
  $ oadm config set-credentials cluster-admin --username=admin --password=uXFGweU9l35qcif
  
  # Embed client certificate data in the "cluster-admin" entry
  $ oadm config set-credentials cluster-admin --client-certificate=~/.kube/admin.crt --embed-certs=true
----
====


== oadm config view
Displays merged kubeconfig settings or a specified kubeconfig file.

====

[options="nowrap"]
----
  # Show Merged kubeconfig settings.
  $ oadm config view
  
  # Get the password for the e2e user
  $ oadm config view -o template --template='{{range .users}}{{ if eq .name "e2e" }}{{ index .user.password }}{{end}}{{end}}'
----
====


== oadm groups add-users
Add users to a group

====

[options="nowrap"]
----
  # Add user1 and user2 to my-group
  $ oadm groups add-users my-group user1 user2
----
====


== oadm groups new
Create a new group

====

[options="nowrap"]
----
  # Add a group with no users
  $ oadm groups new my-group

  # Add a group with two users
  $ oadm groups new my-group user1 user2
----
====


== oadm groups prune
Prune OpenShift groups referencing missing records on an external provider.

====

[options="nowrap"]
----
  # Prune all orphaned groups 
  $ oadm groups prune --sync-config=/path/to/ldap-sync-config.yaml --confirm

  # Prune all orphaned groups except the ones from the blacklist file
  $ oadm groups prune --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm

  # Prune all orphaned groups from a list of specific groups specified in a whitelist file
  $ oadm groups prune --whitelist=/path/to/whitelist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm

  # Prune all orphaned groups from a list of specific groups specified in a whitelist
  $ oadm groups prune groups/group_name groups/other_name --sync-config=/path/to/ldap-sync-config.yaml --confirm

----
====


== oadm groups remove-users
Remove users from a group

====

[options="nowrap"]
----
  # Remove user1 and user2 from my-group
  $ oadm groups remove-users my-group user1 user2
----
====


== oadm groups sync
Sync OpenShift groups with records from an external provider.

====

[options="nowrap"]
----
  # Sync all groups from an LDAP server
  $ oadm groups sync --sync-config=/path/to/ldap-sync-config.yaml --confirm

  # Sync all groups except the ones from the blacklist file from an LDAP server
  $ oadm groups sync --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm

  # Sync specific groups specified in a whitelist file with an LDAP server 
  $ oadm groups sync --whitelist=/path/to/whitelist.txt --sync-config=/path/to/sync-config.yaml --confirm

  # Sync all OpenShift Groups that have been synced previously with an LDAP server
  $ oadm groups sync --type=openshift --sync-config=/path/to/ldap-sync-config.yaml --confirm

  # Sync specific OpenShift Groups if they have been synced previously with an LDAP server
  $ oadm groups sync groups/group1 groups/group2 groups/group3 --sync-config=/path/to/sync-config.yaml --confirm

----
====


== oadm ipfailover
Install an IP failover group to a set of nodes

====

[options="nowrap"]
----
  # Check the default IP failover configuration ("ipfailover"):
  $ oadm ipfailover

  # See what the IP failover configuration would look like if it is created:
  $ oadm ipfailover -o json

  # Create an IP failover configuration if it does not already exist:
  $ oadm ipfailover ipf --virtual-ips="10.1.1.1-4" --create

  # Create an IP failover configuration on a selection of nodes labeled
  # "router=us-west-ha" (on 4 nodes with 7 virtual IPs monitoring a service
  # listening on port 80, such as the router process).
  $ oadm ipfailover ipfailover --selector="router=us-west-ha" --virtual-ips="1.2.3.4,10.1.1.100-104,5.6.7.8" --watch-port=80 --replicas=4 --create

  # Use a different IP failover config image and see the configuration:
  $ oadm ipfailover ipf-alt --selector="hagroup=us-west-ha" --virtual-ips="1.2.3.4" -o yaml --images=myrepo/myipfailover:mytag
----
====


== oadm manage-node
Manage nodes - list pods, evacuate, or mark ready

====

[options="nowrap"]
----
	# Block accepting any pods on given nodes
	$ oadm manage-node <mynode> --schedulable=false

	# Mark selected nodes as schedulable
	$ oadm manage-node --selector="<env=dev>" --schedulable=true

	# Migrate selected pods
	$ oadm manage-node <mynode> --evacuate --pod-selector="<service=myapp>"

	# Show pods that will be migrated
	$ oadm manage-node <mynode> --evacuate --dry-run --pod-selector="<service=myapp>"

	# List all pods on given nodes
	$ oadm manage-node <mynode1> <mynode2> --list-pods
----
====


== oadm pod-network join-projects
Join project network

====

[options="nowrap"]
----
	# Allow project p2 to use project p1 network
	$ oadm pod-network join-projects --to=<p1> <p2>

	# Allow all projects with label name=top-secret to use project p1 network
	$ oadm pod-network join-projects --to=<p1> --selector='name=top-secret'
----
====


== oadm pod-network make-projects-global
Make project network global

====

[options="nowrap"]
----
	# Allow project p1 to access all pods in the cluster and vice versa
	$ oadm pod-network make-projects-global <p1>

	# Allow all projects with label name=share to access all pods in the cluster and vice versa
	$ oadm pod-network make-projects-global --selector='name=share'
----
====


== oadm policy reconcile-cluster-role-bindings
Replace cluster role bindings to match the recommended bootstrap policy

====

[options="nowrap"]
----
  # Display the cluster role bindings that would be modified
  $ oadm policy reconcile-cluster-role-bindings

  # Display the cluster role bindings that would be modified, removing any extra subjects
  $ oadm policy reconcile-cluster-role-bindings --additive-only=false

  # Update cluster role bindings that don't match the current defaults
  $ oadm policy reconcile-cluster-role-bindings --confirm

  # Update cluster role bindings that don't match the current defaults, avoid adding roles to the system:authenticated group
  $ oadm policy reconcile-cluster-role-bindings --confirm --exclude-groups=system:authenticated

  # Update cluster role bindings that don't match the current defaults, removing any extra subjects from the binding
  $ oadm policy reconcile-cluster-role-bindings --confirm --additive-only=false
----
====


== oadm policy reconcile-cluster-roles
Replace cluster roles to match the recommended bootstrap policy

====

[options="nowrap"]
----
  # Display the cluster roles that would be modified
  $ oadm policy reconcile-cluster-roles

  # Replace cluster roles that don't match the current defaults
  $ oadm policy reconcile-cluster-roles --confirm

  # Display the union of the default and modified cluster roles
  $ oadm policy reconcile-cluster-roles --additive-only
----
====


== oadm policy reconcile-sccs
Replace cluster SCCs to match the recommended bootstrap policy

====

[options="nowrap"]
----
  # Display the cluster SCCs that would be modified
  $ oadm policy reconcile-sccs

  # Update cluster SCCs that don't match the current defaults preserving additional grants
  # for users and group and keeping any priorities that are already set
  $ oadm policy reconcile-sccs --confirm

  # Replace existing users, groups, and priorities that do not match defaults
  $ oadm policy reconcile-sccs --additive-only=false --confirm
----
====


== oadm prune prune
Prune OpenShift groups referencing missing records on an external provider.

====

[options="nowrap"]
----
  # Prune all orphaned groups 
  $ oadm prune prune --sync-config=/path/to/ldap-sync-config.yaml --confirm

  # Prune all orphaned groups except the ones from the blacklist file
  $ oadm prune prune --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm

  # Prune all orphaned groups from a list of specific groups specified in a whitelist file
  $ oadm prune prune --whitelist=/path/to/whitelist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm

  # Prune all orphaned groups from a list of specific groups specified in a whitelist
  $ oadm prune prune groups/group_name groups/other_name --sync-config=/path/to/ldap-sync-config.yaml --confirm

----
====


== oadm registry
Install the integrated Docker registry

====

[options="nowrap"]
----
  # Check if default Docker registry ("docker-registry") has been created
  $ oadm registry --dry-run

  # See what the registry will look like if created
  $ oadm registry -o json --credentials=/path/to/registry-user.kubeconfig

  # Create a registry if it does not exist with two replicas
  $ oadm registry --replicas=2 --credentials=/path/to/registry-user.kubeconfig

  # Use a different registry image and see the registry configuration
  $ oadm registry -o yaml --images=myrepo/docker-registry:mytag --credentials=/path/to/registry-user.kubeconfig
----
====


== oadm router
Install a router

====

[options="nowrap"]
----
  # Check the default router ("router")
  $ oadm router --dry-run

  # See what the router would look like if created
  $ oadm router -o json --credentials=/path/to/openshift-router.kubeconfig --service-account=myserviceaccount

  # Create a router if it does not exist
  $ oadm router router-west --credentials=/path/to/openshift-router.kubeconfig --service-account=myserviceaccount --replicas=2

  # Use a different router image and see the router configuration
  $ oadm router region-west -o yaml --credentials=/path/to/openshift-router.kubeconfig --service-account=myserviceaccount --images=myrepo/somerouter:mytag

  # Run the router with a hint to the underlying implementation to _not_ expose statistics.
  $ oadm router router-west --credentials=/path/to/openshift-router.kubeconfig --service-account=myserviceaccount --stats-port=0
  
----
====