diff --git a/contrib/completions/bash/oadm b/contrib/completions/bash/oadm index c44df02205f5..84c9cf0cbe98 100644 --- a/contrib/completions/bash/oadm +++ b/contrib/completions/bash/oadm @@ -4101,6 +4101,167 @@ _oadm_policy_remove-user() noun_aliases=() } +_oadm_policy_scc-review() +{ + last_command="oadm_policy_scc-review" + commands=() + + flags=() + two_word_flags=() + local_nonpersistent_flags=() + flags_with_completion=() + flags_completion=() + + flags+=("--allow-missing-template-keys") + local_nonpersistent_flags+=("--allow-missing-template-keys") + flags+=("--filename=") + flags_with_completion+=("--filename") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + two_word_flags+=("-f") + flags_with_completion+=("-f") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + local_nonpersistent_flags+=("--filename=") + flags+=("--no-headers") + local_nonpersistent_flags+=("--no-headers") + flags+=("--output=") + two_word_flags+=("-o") + local_nonpersistent_flags+=("--output=") + flags+=("--output-version=") + local_nonpersistent_flags+=("--output-version=") + flags+=("--recursive") + flags+=("-R") + local_nonpersistent_flags+=("--recursive") + flags+=("--serviceaccount=") + two_word_flags+=("-z") + local_nonpersistent_flags+=("--serviceaccount=") + flags+=("--show-all") + flags+=("-a") + local_nonpersistent_flags+=("--show-all") + flags+=("--show-labels") + local_nonpersistent_flags+=("--show-labels") + flags+=("--sort-by=") + local_nonpersistent_flags+=("--sort-by=") + flags+=("--template=") + flags_with_completion+=("--template") + flags_completion+=("_filedir") + local_nonpersistent_flags+=("--template=") + flags+=("--as=") + flags+=("--azure-container-registry-config=") + flags+=("--certificate-authority=") + flags_with_completion+=("--certificate-authority") + flags_completion+=("_filedir") + flags+=("--client-certificate=") + flags_with_completion+=("--client-certificate") + flags_completion+=("_filedir") + flags+=("--client-key=") + flags_with_completion+=("--client-key") + flags_completion+=("_filedir") + flags+=("--cluster=") + flags+=("--config=") + flags_with_completion+=("--config") + flags_completion+=("_filedir") + flags+=("--context=") + flags+=("--google-json-key=") + flags+=("--insecure-skip-tls-verify") + flags+=("--log-flush-frequency=") + flags+=("--loglevel=") + flags+=("--logspec=") + flags+=("--match-server-version") + flags+=("--namespace=") + two_word_flags+=("-n") + flags+=("--request-timeout=") + flags+=("--server=") + flags+=("--token=") + flags+=("--user=") + + must_have_one_flag=() + must_have_one_noun=() + noun_aliases=() +} + +_oadm_policy_scc-subject-review() +{ + last_command="oadm_policy_scc-subject-review" + commands=() + + flags=() + two_word_flags=() + local_nonpersistent_flags=() + flags_with_completion=() + flags_completion=() + + flags+=("--allow-missing-template-keys") + local_nonpersistent_flags+=("--allow-missing-template-keys") + flags+=("--filename=") + flags_with_completion+=("--filename") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + two_word_flags+=("-f") + flags_with_completion+=("-f") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + local_nonpersistent_flags+=("--filename=") + flags+=("--groups=") + two_word_flags+=("-g") + local_nonpersistent_flags+=("--groups=") + flags+=("--no-headers") + local_nonpersistent_flags+=("--no-headers") + flags+=("--output=") + two_word_flags+=("-o") + local_nonpersistent_flags+=("--output=") + flags+=("--output-version=") + local_nonpersistent_flags+=("--output-version=") + flags+=("--recursive") + flags+=("-R") + local_nonpersistent_flags+=("--recursive") + flags+=("--serviceaccount=") + two_word_flags+=("-z") + local_nonpersistent_flags+=("--serviceaccount=") + flags+=("--show-all") + flags+=("-a") + local_nonpersistent_flags+=("--show-all") + flags+=("--show-labels") + local_nonpersistent_flags+=("--show-labels") + flags+=("--sort-by=") + local_nonpersistent_flags+=("--sort-by=") + flags+=("--template=") + flags_with_completion+=("--template") + flags_completion+=("_filedir") + local_nonpersistent_flags+=("--template=") + flags+=("--user=") + two_word_flags+=("-u") + local_nonpersistent_flags+=("--user=") + flags+=("--as=") + flags+=("--azure-container-registry-config=") + flags+=("--certificate-authority=") + flags_with_completion+=("--certificate-authority") + flags_completion+=("_filedir") + flags+=("--client-certificate=") + flags_with_completion+=("--client-certificate") + flags_completion+=("_filedir") + flags+=("--client-key=") + flags_with_completion+=("--client-key") + flags_completion+=("_filedir") + flags+=("--cluster=") + flags+=("--config=") + flags_with_completion+=("--config") + flags_completion+=("_filedir") + flags+=("--context=") + flags+=("--google-json-key=") + flags+=("--insecure-skip-tls-verify") + flags+=("--log-flush-frequency=") + flags+=("--loglevel=") + flags+=("--logspec=") + flags+=("--match-server-version") + flags+=("--namespace=") + two_word_flags+=("-n") + flags+=("--request-timeout=") + flags+=("--server=") + flags+=("--token=") + + must_have_one_flag=() + must_have_one_noun=() + noun_aliases=() +} + _oadm_policy_who-can() { last_command="oadm_policy_who-can" @@ -4169,6 +4330,8 @@ _oadm_policy() commands+=("remove-scc-from-group") commands+=("remove-scc-from-user") commands+=("remove-user") + commands+=("scc-review") + commands+=("scc-subject-review") commands+=("who-can") flags=() diff --git a/contrib/completions/bash/oc b/contrib/completions/bash/oc index decc1cce5345..6db8b7f971db 100644 --- a/contrib/completions/bash/oc +++ b/contrib/completions/bash/oc @@ -4124,6 +4124,163 @@ _oc_adm_policy_remove-user() noun_aliases=() } +_oc_adm_policy_scc-review() +{ + last_command="oc_adm_policy_scc-review" + commands=() + + flags=() + two_word_flags=() + local_nonpersistent_flags=() + flags_with_completion=() + flags_completion=() + + flags+=("--allow-missing-template-keys") + local_nonpersistent_flags+=("--allow-missing-template-keys") + flags+=("--filename=") + flags_with_completion+=("--filename") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + two_word_flags+=("-f") + flags_with_completion+=("-f") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + local_nonpersistent_flags+=("--filename=") + flags+=("--no-headers") + local_nonpersistent_flags+=("--no-headers") + flags+=("--output=") + two_word_flags+=("-o") + local_nonpersistent_flags+=("--output=") + flags+=("--output-version=") + local_nonpersistent_flags+=("--output-version=") + flags+=("--recursive") + flags+=("-R") + local_nonpersistent_flags+=("--recursive") + flags+=("--serviceaccount=") + two_word_flags+=("-z") + local_nonpersistent_flags+=("--serviceaccount=") + flags+=("--show-all") + flags+=("-a") + local_nonpersistent_flags+=("--show-all") + flags+=("--show-labels") + local_nonpersistent_flags+=("--show-labels") + flags+=("--sort-by=") + local_nonpersistent_flags+=("--sort-by=") + flags+=("--template=") + flags_with_completion+=("--template") + flags_completion+=("_filedir") + local_nonpersistent_flags+=("--template=") + flags+=("--as=") + flags+=("--certificate-authority=") + flags_with_completion+=("--certificate-authority") + flags_completion+=("_filedir") + flags+=("--client-certificate=") + flags_with_completion+=("--client-certificate") + flags_completion+=("_filedir") + flags+=("--client-key=") + flags_with_completion+=("--client-key") + flags_completion+=("_filedir") + flags+=("--cluster=") + flags+=("--config=") + flags_with_completion+=("--config") + flags_completion+=("_filedir") + flags+=("--context=") + flags+=("--insecure-skip-tls-verify") + flags+=("--log-flush-frequency=") + flags+=("--loglevel=") + flags+=("--logspec=") + flags+=("--match-server-version") + flags+=("--namespace=") + two_word_flags+=("-n") + flags+=("--request-timeout=") + flags+=("--server=") + flags+=("--token=") + flags+=("--user=") + + must_have_one_flag=() + must_have_one_noun=() + noun_aliases=() +} + +_oc_adm_policy_scc-subject-review() +{ + last_command="oc_adm_policy_scc-subject-review" + commands=() + + flags=() + two_word_flags=() + local_nonpersistent_flags=() + flags_with_completion=() + flags_completion=() + + flags+=("--allow-missing-template-keys") + local_nonpersistent_flags+=("--allow-missing-template-keys") + flags+=("--filename=") + flags_with_completion+=("--filename") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + two_word_flags+=("-f") + flags_with_completion+=("-f") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + local_nonpersistent_flags+=("--filename=") + flags+=("--groups=") + two_word_flags+=("-g") + local_nonpersistent_flags+=("--groups=") + flags+=("--no-headers") + local_nonpersistent_flags+=("--no-headers") + flags+=("--output=") + two_word_flags+=("-o") + local_nonpersistent_flags+=("--output=") + flags+=("--output-version=") + local_nonpersistent_flags+=("--output-version=") + flags+=("--recursive") + flags+=("-R") + local_nonpersistent_flags+=("--recursive") + flags+=("--serviceaccount=") + two_word_flags+=("-z") + local_nonpersistent_flags+=("--serviceaccount=") + flags+=("--show-all") + flags+=("-a") + local_nonpersistent_flags+=("--show-all") + flags+=("--show-labels") + local_nonpersistent_flags+=("--show-labels") + flags+=("--sort-by=") + local_nonpersistent_flags+=("--sort-by=") + flags+=("--template=") + flags_with_completion+=("--template") + flags_completion+=("_filedir") + local_nonpersistent_flags+=("--template=") + flags+=("--user=") + two_word_flags+=("-u") + local_nonpersistent_flags+=("--user=") + flags+=("--as=") + flags+=("--certificate-authority=") + flags_with_completion+=("--certificate-authority") + flags_completion+=("_filedir") + flags+=("--client-certificate=") + flags_with_completion+=("--client-certificate") + flags_completion+=("_filedir") + flags+=("--client-key=") + flags_with_completion+=("--client-key") + flags_completion+=("_filedir") + flags+=("--cluster=") + flags+=("--config=") + flags_with_completion+=("--config") + flags_completion+=("_filedir") + flags+=("--context=") + flags+=("--insecure-skip-tls-verify") + flags+=("--log-flush-frequency=") + flags+=("--loglevel=") + flags+=("--logspec=") + flags+=("--match-server-version") + flags+=("--namespace=") + two_word_flags+=("-n") + flags+=("--request-timeout=") + flags+=("--server=") + flags+=("--token=") + + must_have_one_flag=() + must_have_one_noun=() + noun_aliases=() +} + _oc_adm_policy_who-can() { last_command="oc_adm_policy_who-can" @@ -4190,6 +4347,8 @@ _oc_adm_policy() commands+=("remove-scc-from-group") commands+=("remove-scc-from-user") commands+=("remove-user") + commands+=("scc-review") + commands+=("scc-subject-review") commands+=("who-can") flags=() @@ -12230,6 +12389,171 @@ _oc_policy_remove-user() noun_aliases=() } +_oc_policy_scc-review() +{ + last_command="oc_policy_scc-review" + commands=() + + flags=() + two_word_flags=() + local_nonpersistent_flags=() + flags_with_completion=() + flags_completion=() + + flags+=("--allow-missing-template-keys") + local_nonpersistent_flags+=("--allow-missing-template-keys") + flags+=("--filename=") + flags_with_completion+=("--filename") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + two_word_flags+=("-f") + flags_with_completion+=("-f") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + local_nonpersistent_flags+=("--filename=") + flags+=("--no-headers") + local_nonpersistent_flags+=("--no-headers") + flags+=("--output=") + two_word_flags+=("-o") + local_nonpersistent_flags+=("--output=") + flags+=("--output-version=") + local_nonpersistent_flags+=("--output-version=") + flags+=("--recursive") + flags+=("-R") + local_nonpersistent_flags+=("--recursive") + flags+=("--serviceaccount=") + two_word_flags+=("-z") + local_nonpersistent_flags+=("--serviceaccount=") + flags+=("--show-all") + flags+=("-a") + local_nonpersistent_flags+=("--show-all") + flags+=("--show-labels") + local_nonpersistent_flags+=("--show-labels") + flags+=("--sort-by=") + local_nonpersistent_flags+=("--sort-by=") + flags+=("--template=") + flags_with_completion+=("--template") + flags_completion+=("_filedir") + local_nonpersistent_flags+=("--template=") + flags+=("--as=") + flags+=("--certificate-authority=") + flags_with_completion+=("--certificate-authority") + flags_completion+=("_filedir") + flags+=("--client-certificate=") + flags_with_completion+=("--client-certificate") + flags_completion+=("_filedir") + flags+=("--client-key=") + flags_with_completion+=("--client-key") + flags_completion+=("_filedir") + flags+=("--cluster=") + flags+=("--config=") + flags_with_completion+=("--config") + flags_completion+=("_filedir") + flags+=("--context=") + flags+=("--insecure-skip-tls-verify") + flags+=("--log-flush-frequency=") + flags+=("--loglevel=") + flags+=("--logspec=") + flags+=("--match-server-version") + flags+=("--namespace=") + flags_with_completion+=("--namespace") + flags_completion+=("__oc_get_namespaces") + two_word_flags+=("-n") + flags_with_completion+=("-n") + flags_completion+=("__oc_get_namespaces") + flags+=("--request-timeout=") + flags+=("--server=") + flags+=("--token=") + flags+=("--user=") + + must_have_one_flag=() + must_have_one_noun=() + noun_aliases=() +} + +_oc_policy_scc-subject-review() +{ + last_command="oc_policy_scc-subject-review" + commands=() + + flags=() + two_word_flags=() + local_nonpersistent_flags=() + flags_with_completion=() + flags_completion=() + + flags+=("--allow-missing-template-keys") + local_nonpersistent_flags+=("--allow-missing-template-keys") + flags+=("--filename=") + flags_with_completion+=("--filename") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + two_word_flags+=("-f") + flags_with_completion+=("-f") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + local_nonpersistent_flags+=("--filename=") + flags+=("--groups=") + two_word_flags+=("-g") + local_nonpersistent_flags+=("--groups=") + flags+=("--no-headers") + local_nonpersistent_flags+=("--no-headers") + flags+=("--output=") + two_word_flags+=("-o") + local_nonpersistent_flags+=("--output=") + flags+=("--output-version=") + local_nonpersistent_flags+=("--output-version=") + flags+=("--recursive") + flags+=("-R") + local_nonpersistent_flags+=("--recursive") + flags+=("--serviceaccount=") + two_word_flags+=("-z") + local_nonpersistent_flags+=("--serviceaccount=") + flags+=("--show-all") + flags+=("-a") + local_nonpersistent_flags+=("--show-all") + flags+=("--show-labels") + local_nonpersistent_flags+=("--show-labels") + flags+=("--sort-by=") + local_nonpersistent_flags+=("--sort-by=") + flags+=("--template=") + flags_with_completion+=("--template") + flags_completion+=("_filedir") + local_nonpersistent_flags+=("--template=") + flags+=("--user=") + two_word_flags+=("-u") + local_nonpersistent_flags+=("--user=") + flags+=("--as=") + flags+=("--certificate-authority=") + flags_with_completion+=("--certificate-authority") + flags_completion+=("_filedir") + flags+=("--client-certificate=") + flags_with_completion+=("--client-certificate") + flags_completion+=("_filedir") + flags+=("--client-key=") + flags_with_completion+=("--client-key") + flags_completion+=("_filedir") + flags+=("--cluster=") + flags+=("--config=") + flags_with_completion+=("--config") + flags_completion+=("_filedir") + flags+=("--context=") + flags+=("--insecure-skip-tls-verify") + flags+=("--log-flush-frequency=") + flags+=("--loglevel=") + flags+=("--logspec=") + flags+=("--match-server-version") + flags+=("--namespace=") + flags_with_completion+=("--namespace") + flags_completion+=("__oc_get_namespaces") + two_word_flags+=("-n") + flags_with_completion+=("-n") + flags_completion+=("__oc_get_namespaces") + flags+=("--request-timeout=") + flags+=("--server=") + flags+=("--token=") + + must_have_one_flag=() + must_have_one_noun=() + noun_aliases=() +} + _oc_policy_who-can() { last_command="oc_policy_who-can" @@ -12290,6 +12614,8 @@ _oc_policy() commands+=("remove-role-from-group") commands+=("remove-role-from-user") commands+=("remove-user") + commands+=("scc-review") + commands+=("scc-subject-review") commands+=("who-can") flags=() diff --git a/contrib/completions/bash/openshift b/contrib/completions/bash/openshift index 857000c74efa..64a947849265 100644 --- a/contrib/completions/bash/openshift +++ b/contrib/completions/bash/openshift @@ -4101,6 +4101,167 @@ _openshift_admin_policy_remove-user() noun_aliases=() } +_openshift_admin_policy_scc-review() +{ + last_command="openshift_admin_policy_scc-review" + commands=() + + flags=() + two_word_flags=() + local_nonpersistent_flags=() + flags_with_completion=() + flags_completion=() + + flags+=("--allow-missing-template-keys") + local_nonpersistent_flags+=("--allow-missing-template-keys") + flags+=("--filename=") + flags_with_completion+=("--filename") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + two_word_flags+=("-f") + flags_with_completion+=("-f") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + local_nonpersistent_flags+=("--filename=") + flags+=("--no-headers") + local_nonpersistent_flags+=("--no-headers") + flags+=("--output=") + two_word_flags+=("-o") + local_nonpersistent_flags+=("--output=") + flags+=("--output-version=") + local_nonpersistent_flags+=("--output-version=") + flags+=("--recursive") + flags+=("-R") + local_nonpersistent_flags+=("--recursive") + flags+=("--serviceaccount=") + two_word_flags+=("-z") + local_nonpersistent_flags+=("--serviceaccount=") + flags+=("--show-all") + flags+=("-a") + local_nonpersistent_flags+=("--show-all") + flags+=("--show-labels") + local_nonpersistent_flags+=("--show-labels") + flags+=("--sort-by=") + local_nonpersistent_flags+=("--sort-by=") + flags+=("--template=") + flags_with_completion+=("--template") + flags_completion+=("_filedir") + local_nonpersistent_flags+=("--template=") + flags+=("--as=") + flags+=("--azure-container-registry-config=") + flags+=("--certificate-authority=") + flags_with_completion+=("--certificate-authority") + flags_completion+=("_filedir") + flags+=("--client-certificate=") + flags_with_completion+=("--client-certificate") + flags_completion+=("_filedir") + flags+=("--client-key=") + flags_with_completion+=("--client-key") + flags_completion+=("_filedir") + flags+=("--cluster=") + flags+=("--config=") + flags_with_completion+=("--config") + flags_completion+=("_filedir") + flags+=("--context=") + flags+=("--google-json-key=") + flags+=("--insecure-skip-tls-verify") + flags+=("--log-flush-frequency=") + flags+=("--loglevel=") + flags+=("--logspec=") + flags+=("--match-server-version") + flags+=("--namespace=") + two_word_flags+=("-n") + flags+=("--request-timeout=") + flags+=("--server=") + flags+=("--token=") + flags+=("--user=") + + must_have_one_flag=() + must_have_one_noun=() + noun_aliases=() +} + +_openshift_admin_policy_scc-subject-review() +{ + last_command="openshift_admin_policy_scc-subject-review" + commands=() + + flags=() + two_word_flags=() + local_nonpersistent_flags=() + flags_with_completion=() + flags_completion=() + + flags+=("--allow-missing-template-keys") + local_nonpersistent_flags+=("--allow-missing-template-keys") + flags+=("--filename=") + flags_with_completion+=("--filename") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + two_word_flags+=("-f") + flags_with_completion+=("-f") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + local_nonpersistent_flags+=("--filename=") + flags+=("--groups=") + two_word_flags+=("-g") + local_nonpersistent_flags+=("--groups=") + flags+=("--no-headers") + local_nonpersistent_flags+=("--no-headers") + flags+=("--output=") + two_word_flags+=("-o") + local_nonpersistent_flags+=("--output=") + flags+=("--output-version=") + local_nonpersistent_flags+=("--output-version=") + flags+=("--recursive") + flags+=("-R") + local_nonpersistent_flags+=("--recursive") + flags+=("--serviceaccount=") + two_word_flags+=("-z") + local_nonpersistent_flags+=("--serviceaccount=") + flags+=("--show-all") + flags+=("-a") + local_nonpersistent_flags+=("--show-all") + flags+=("--show-labels") + local_nonpersistent_flags+=("--show-labels") + flags+=("--sort-by=") + local_nonpersistent_flags+=("--sort-by=") + flags+=("--template=") + flags_with_completion+=("--template") + flags_completion+=("_filedir") + local_nonpersistent_flags+=("--template=") + flags+=("--user=") + two_word_flags+=("-u") + local_nonpersistent_flags+=("--user=") + flags+=("--as=") + flags+=("--azure-container-registry-config=") + flags+=("--certificate-authority=") + flags_with_completion+=("--certificate-authority") + flags_completion+=("_filedir") + flags+=("--client-certificate=") + flags_with_completion+=("--client-certificate") + flags_completion+=("_filedir") + flags+=("--client-key=") + flags_with_completion+=("--client-key") + flags_completion+=("_filedir") + flags+=("--cluster=") + flags+=("--config=") + flags_with_completion+=("--config") + flags_completion+=("_filedir") + flags+=("--context=") + flags+=("--google-json-key=") + flags+=("--insecure-skip-tls-verify") + flags+=("--log-flush-frequency=") + flags+=("--loglevel=") + flags+=("--logspec=") + flags+=("--match-server-version") + flags+=("--namespace=") + two_word_flags+=("-n") + flags+=("--request-timeout=") + flags+=("--server=") + flags+=("--token=") + + must_have_one_flag=() + must_have_one_noun=() + noun_aliases=() +} + _openshift_admin_policy_who-can() { last_command="openshift_admin_policy_who-can" @@ -4169,6 +4330,8 @@ _openshift_admin_policy() commands+=("remove-scc-from-group") commands+=("remove-scc-from-user") commands+=("remove-user") + commands+=("scc-review") + commands+=("scc-subject-review") commands+=("who-can") flags=() @@ -9019,6 +9182,167 @@ _openshift_cli_adm_policy_remove-user() noun_aliases=() } +_openshift_cli_adm_policy_scc-review() +{ + last_command="openshift_cli_adm_policy_scc-review" + commands=() + + flags=() + two_word_flags=() + local_nonpersistent_flags=() + flags_with_completion=() + flags_completion=() + + flags+=("--allow-missing-template-keys") + local_nonpersistent_flags+=("--allow-missing-template-keys") + flags+=("--filename=") + flags_with_completion+=("--filename") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + two_word_flags+=("-f") + flags_with_completion+=("-f") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + local_nonpersistent_flags+=("--filename=") + flags+=("--no-headers") + local_nonpersistent_flags+=("--no-headers") + flags+=("--output=") + two_word_flags+=("-o") + local_nonpersistent_flags+=("--output=") + flags+=("--output-version=") + local_nonpersistent_flags+=("--output-version=") + flags+=("--recursive") + flags+=("-R") + local_nonpersistent_flags+=("--recursive") + flags+=("--serviceaccount=") + two_word_flags+=("-z") + local_nonpersistent_flags+=("--serviceaccount=") + flags+=("--show-all") + flags+=("-a") + local_nonpersistent_flags+=("--show-all") + flags+=("--show-labels") + local_nonpersistent_flags+=("--show-labels") + flags+=("--sort-by=") + local_nonpersistent_flags+=("--sort-by=") + flags+=("--template=") + flags_with_completion+=("--template") + flags_completion+=("_filedir") + local_nonpersistent_flags+=("--template=") + flags+=("--as=") + flags+=("--azure-container-registry-config=") + flags+=("--certificate-authority=") + flags_with_completion+=("--certificate-authority") + flags_completion+=("_filedir") + flags+=("--client-certificate=") + flags_with_completion+=("--client-certificate") + flags_completion+=("_filedir") + flags+=("--client-key=") + flags_with_completion+=("--client-key") + flags_completion+=("_filedir") + flags+=("--cluster=") + flags+=("--config=") + flags_with_completion+=("--config") + flags_completion+=("_filedir") + flags+=("--context=") + flags+=("--google-json-key=") + flags+=("--insecure-skip-tls-verify") + flags+=("--log-flush-frequency=") + flags+=("--loglevel=") + flags+=("--logspec=") + flags+=("--match-server-version") + flags+=("--namespace=") + two_word_flags+=("-n") + flags+=("--request-timeout=") + flags+=("--server=") + flags+=("--token=") + flags+=("--user=") + + must_have_one_flag=() + must_have_one_noun=() + noun_aliases=() +} + +_openshift_cli_adm_policy_scc-subject-review() +{ + last_command="openshift_cli_adm_policy_scc-subject-review" + commands=() + + flags=() + two_word_flags=() + local_nonpersistent_flags=() + flags_with_completion=() + flags_completion=() + + flags+=("--allow-missing-template-keys") + local_nonpersistent_flags+=("--allow-missing-template-keys") + flags+=("--filename=") + flags_with_completion+=("--filename") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + two_word_flags+=("-f") + flags_with_completion+=("-f") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + local_nonpersistent_flags+=("--filename=") + flags+=("--groups=") + two_word_flags+=("-g") + local_nonpersistent_flags+=("--groups=") + flags+=("--no-headers") + local_nonpersistent_flags+=("--no-headers") + flags+=("--output=") + two_word_flags+=("-o") + local_nonpersistent_flags+=("--output=") + flags+=("--output-version=") + local_nonpersistent_flags+=("--output-version=") + flags+=("--recursive") + flags+=("-R") + local_nonpersistent_flags+=("--recursive") + flags+=("--serviceaccount=") + two_word_flags+=("-z") + local_nonpersistent_flags+=("--serviceaccount=") + flags+=("--show-all") + flags+=("-a") + local_nonpersistent_flags+=("--show-all") + flags+=("--show-labels") + local_nonpersistent_flags+=("--show-labels") + flags+=("--sort-by=") + local_nonpersistent_flags+=("--sort-by=") + flags+=("--template=") + flags_with_completion+=("--template") + flags_completion+=("_filedir") + local_nonpersistent_flags+=("--template=") + flags+=("--user=") + two_word_flags+=("-u") + local_nonpersistent_flags+=("--user=") + flags+=("--as=") + flags+=("--azure-container-registry-config=") + flags+=("--certificate-authority=") + flags_with_completion+=("--certificate-authority") + flags_completion+=("_filedir") + flags+=("--client-certificate=") + flags_with_completion+=("--client-certificate") + flags_completion+=("_filedir") + flags+=("--client-key=") + flags_with_completion+=("--client-key") + flags_completion+=("_filedir") + flags+=("--cluster=") + flags+=("--config=") + flags_with_completion+=("--config") + flags_completion+=("_filedir") + flags+=("--context=") + flags+=("--google-json-key=") + flags+=("--insecure-skip-tls-verify") + flags+=("--log-flush-frequency=") + flags+=("--loglevel=") + flags+=("--logspec=") + flags+=("--match-server-version") + flags+=("--namespace=") + two_word_flags+=("-n") + flags+=("--request-timeout=") + flags+=("--server=") + flags+=("--token=") + + must_have_one_flag=() + must_have_one_noun=() + noun_aliases=() +} + _openshift_cli_adm_policy_who-can() { last_command="openshift_cli_adm_policy_who-can" @@ -9087,6 +9411,8 @@ _openshift_cli_adm_policy() commands+=("remove-scc-from-group") commands+=("remove-scc-from-user") commands+=("remove-user") + commands+=("scc-review") + commands+=("scc-subject-review") commands+=("who-can") flags=() @@ -17333,6 +17659,175 @@ _openshift_cli_policy_remove-user() noun_aliases=() } +_openshift_cli_policy_scc-review() +{ + last_command="openshift_cli_policy_scc-review" + commands=() + + flags=() + two_word_flags=() + local_nonpersistent_flags=() + flags_with_completion=() + flags_completion=() + + flags+=("--allow-missing-template-keys") + local_nonpersistent_flags+=("--allow-missing-template-keys") + flags+=("--filename=") + flags_with_completion+=("--filename") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + two_word_flags+=("-f") + flags_with_completion+=("-f") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + local_nonpersistent_flags+=("--filename=") + flags+=("--no-headers") + local_nonpersistent_flags+=("--no-headers") + flags+=("--output=") + two_word_flags+=("-o") + local_nonpersistent_flags+=("--output=") + flags+=("--output-version=") + local_nonpersistent_flags+=("--output-version=") + flags+=("--recursive") + flags+=("-R") + local_nonpersistent_flags+=("--recursive") + flags+=("--serviceaccount=") + two_word_flags+=("-z") + local_nonpersistent_flags+=("--serviceaccount=") + flags+=("--show-all") + flags+=("-a") + local_nonpersistent_flags+=("--show-all") + flags+=("--show-labels") + local_nonpersistent_flags+=("--show-labels") + flags+=("--sort-by=") + local_nonpersistent_flags+=("--sort-by=") + flags+=("--template=") + flags_with_completion+=("--template") + flags_completion+=("_filedir") + local_nonpersistent_flags+=("--template=") + flags+=("--as=") + flags+=("--azure-container-registry-config=") + flags+=("--certificate-authority=") + flags_with_completion+=("--certificate-authority") + flags_completion+=("_filedir") + flags+=("--client-certificate=") + flags_with_completion+=("--client-certificate") + flags_completion+=("_filedir") + flags+=("--client-key=") + flags_with_completion+=("--client-key") + flags_completion+=("_filedir") + flags+=("--cluster=") + flags+=("--config=") + flags_with_completion+=("--config") + flags_completion+=("_filedir") + flags+=("--context=") + flags+=("--google-json-key=") + flags+=("--insecure-skip-tls-verify") + flags+=("--log-flush-frequency=") + flags+=("--loglevel=") + flags+=("--logspec=") + flags+=("--match-server-version") + flags+=("--namespace=") + flags_with_completion+=("--namespace") + flags_completion+=("__oc_get_namespaces") + two_word_flags+=("-n") + flags_with_completion+=("-n") + flags_completion+=("__oc_get_namespaces") + flags+=("--request-timeout=") + flags+=("--server=") + flags+=("--token=") + flags+=("--user=") + + must_have_one_flag=() + must_have_one_noun=() + noun_aliases=() +} + +_openshift_cli_policy_scc-subject-review() +{ + last_command="openshift_cli_policy_scc-subject-review" + commands=() + + flags=() + two_word_flags=() + local_nonpersistent_flags=() + flags_with_completion=() + flags_completion=() + + flags+=("--allow-missing-template-keys") + local_nonpersistent_flags+=("--allow-missing-template-keys") + flags+=("--filename=") + flags_with_completion+=("--filename") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + two_word_flags+=("-f") + flags_with_completion+=("-f") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + local_nonpersistent_flags+=("--filename=") + flags+=("--groups=") + two_word_flags+=("-g") + local_nonpersistent_flags+=("--groups=") + flags+=("--no-headers") + local_nonpersistent_flags+=("--no-headers") + flags+=("--output=") + two_word_flags+=("-o") + local_nonpersistent_flags+=("--output=") + flags+=("--output-version=") + local_nonpersistent_flags+=("--output-version=") + flags+=("--recursive") + flags+=("-R") + local_nonpersistent_flags+=("--recursive") + flags+=("--serviceaccount=") + two_word_flags+=("-z") + local_nonpersistent_flags+=("--serviceaccount=") + flags+=("--show-all") + flags+=("-a") + local_nonpersistent_flags+=("--show-all") + flags+=("--show-labels") + local_nonpersistent_flags+=("--show-labels") + flags+=("--sort-by=") + local_nonpersistent_flags+=("--sort-by=") + flags+=("--template=") + flags_with_completion+=("--template") + flags_completion+=("_filedir") + local_nonpersistent_flags+=("--template=") + flags+=("--user=") + two_word_flags+=("-u") + local_nonpersistent_flags+=("--user=") + flags+=("--as=") + flags+=("--azure-container-registry-config=") + flags+=("--certificate-authority=") + flags_with_completion+=("--certificate-authority") + flags_completion+=("_filedir") + flags+=("--client-certificate=") + flags_with_completion+=("--client-certificate") + flags_completion+=("_filedir") + flags+=("--client-key=") + flags_with_completion+=("--client-key") + flags_completion+=("_filedir") + flags+=("--cluster=") + flags+=("--config=") + flags_with_completion+=("--config") + flags_completion+=("_filedir") + flags+=("--context=") + flags+=("--google-json-key=") + flags+=("--insecure-skip-tls-verify") + flags+=("--log-flush-frequency=") + flags+=("--loglevel=") + flags+=("--logspec=") + flags+=("--match-server-version") + flags+=("--namespace=") + flags_with_completion+=("--namespace") + flags_completion+=("__oc_get_namespaces") + two_word_flags+=("-n") + flags_with_completion+=("-n") + flags_completion+=("__oc_get_namespaces") + flags+=("--request-timeout=") + flags+=("--server=") + flags+=("--token=") + + must_have_one_flag=() + must_have_one_noun=() + noun_aliases=() +} + _openshift_cli_policy_who-can() { last_command="openshift_cli_policy_who-can" @@ -17395,6 +17890,8 @@ _openshift_cli_policy() commands+=("remove-role-from-group") commands+=("remove-role-from-user") commands+=("remove-user") + commands+=("scc-review") + commands+=("scc-subject-review") commands+=("who-can") flags=() diff --git a/contrib/completions/zsh/oadm b/contrib/completions/zsh/oadm index c94063134deb..93fa0d79d4fd 100644 --- a/contrib/completions/zsh/oadm +++ b/contrib/completions/zsh/oadm @@ -4249,6 +4249,167 @@ _oadm_policy_remove-user() noun_aliases=() } +_oadm_policy_scc-review() +{ + last_command="oadm_policy_scc-review" + commands=() + + flags=() + two_word_flags=() + local_nonpersistent_flags=() + flags_with_completion=() + flags_completion=() + + flags+=("--allow-missing-template-keys") + local_nonpersistent_flags+=("--allow-missing-template-keys") + flags+=("--filename=") + flags_with_completion+=("--filename") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + two_word_flags+=("-f") + flags_with_completion+=("-f") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + local_nonpersistent_flags+=("--filename=") + flags+=("--no-headers") + local_nonpersistent_flags+=("--no-headers") + flags+=("--output=") + two_word_flags+=("-o") + local_nonpersistent_flags+=("--output=") + flags+=("--output-version=") + local_nonpersistent_flags+=("--output-version=") + flags+=("--recursive") + flags+=("-R") + local_nonpersistent_flags+=("--recursive") + flags+=("--serviceaccount=") + two_word_flags+=("-z") + local_nonpersistent_flags+=("--serviceaccount=") + flags+=("--show-all") + flags+=("-a") + local_nonpersistent_flags+=("--show-all") + flags+=("--show-labels") + local_nonpersistent_flags+=("--show-labels") + flags+=("--sort-by=") + local_nonpersistent_flags+=("--sort-by=") + flags+=("--template=") + flags_with_completion+=("--template") + flags_completion+=("_filedir") + local_nonpersistent_flags+=("--template=") + flags+=("--as=") + flags+=("--azure-container-registry-config=") + flags+=("--certificate-authority=") + flags_with_completion+=("--certificate-authority") + flags_completion+=("_filedir") + flags+=("--client-certificate=") + flags_with_completion+=("--client-certificate") + flags_completion+=("_filedir") + flags+=("--client-key=") + flags_with_completion+=("--client-key") + flags_completion+=("_filedir") + flags+=("--cluster=") + flags+=("--config=") + flags_with_completion+=("--config") + flags_completion+=("_filedir") + flags+=("--context=") + flags+=("--google-json-key=") + flags+=("--insecure-skip-tls-verify") + flags+=("--log-flush-frequency=") + flags+=("--loglevel=") + flags+=("--logspec=") + flags+=("--match-server-version") + flags+=("--namespace=") + two_word_flags+=("-n") + flags+=("--request-timeout=") + flags+=("--server=") + flags+=("--token=") + flags+=("--user=") + + must_have_one_flag=() + must_have_one_noun=() + noun_aliases=() +} + +_oadm_policy_scc-subject-review() +{ + last_command="oadm_policy_scc-subject-review" + commands=() + + flags=() + two_word_flags=() + local_nonpersistent_flags=() + flags_with_completion=() + flags_completion=() + + flags+=("--allow-missing-template-keys") + local_nonpersistent_flags+=("--allow-missing-template-keys") + flags+=("--filename=") + flags_with_completion+=("--filename") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + two_word_flags+=("-f") + flags_with_completion+=("-f") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + local_nonpersistent_flags+=("--filename=") + flags+=("--groups=") + two_word_flags+=("-g") + local_nonpersistent_flags+=("--groups=") + flags+=("--no-headers") + local_nonpersistent_flags+=("--no-headers") + flags+=("--output=") + two_word_flags+=("-o") + local_nonpersistent_flags+=("--output=") + flags+=("--output-version=") + local_nonpersistent_flags+=("--output-version=") + flags+=("--recursive") + flags+=("-R") + local_nonpersistent_flags+=("--recursive") + flags+=("--serviceaccount=") + two_word_flags+=("-z") + local_nonpersistent_flags+=("--serviceaccount=") + flags+=("--show-all") + flags+=("-a") + local_nonpersistent_flags+=("--show-all") + flags+=("--show-labels") + local_nonpersistent_flags+=("--show-labels") + flags+=("--sort-by=") + local_nonpersistent_flags+=("--sort-by=") + flags+=("--template=") + flags_with_completion+=("--template") + flags_completion+=("_filedir") + local_nonpersistent_flags+=("--template=") + flags+=("--user=") + two_word_flags+=("-u") + local_nonpersistent_flags+=("--user=") + flags+=("--as=") + flags+=("--azure-container-registry-config=") + flags+=("--certificate-authority=") + flags_with_completion+=("--certificate-authority") + flags_completion+=("_filedir") + flags+=("--client-certificate=") + flags_with_completion+=("--client-certificate") + flags_completion+=("_filedir") + flags+=("--client-key=") + flags_with_completion+=("--client-key") + flags_completion+=("_filedir") + flags+=("--cluster=") + flags+=("--config=") + flags_with_completion+=("--config") + flags_completion+=("_filedir") + flags+=("--context=") + flags+=("--google-json-key=") + flags+=("--insecure-skip-tls-verify") + flags+=("--log-flush-frequency=") + flags+=("--loglevel=") + flags+=("--logspec=") + flags+=("--match-server-version") + flags+=("--namespace=") + two_word_flags+=("-n") + flags+=("--request-timeout=") + flags+=("--server=") + flags+=("--token=") + + must_have_one_flag=() + must_have_one_noun=() + noun_aliases=() +} + _oadm_policy_who-can() { last_command="oadm_policy_who-can" @@ -4317,6 +4478,8 @@ _oadm_policy() commands+=("remove-scc-from-group") commands+=("remove-scc-from-user") commands+=("remove-user") + commands+=("scc-review") + commands+=("scc-subject-review") commands+=("who-can") flags=() diff --git a/contrib/completions/zsh/oc b/contrib/completions/zsh/oc index b57161dbaf3c..114b700c32f3 100644 --- a/contrib/completions/zsh/oc +++ b/contrib/completions/zsh/oc @@ -4272,6 +4272,163 @@ _oc_adm_policy_remove-user() noun_aliases=() } +_oc_adm_policy_scc-review() +{ + last_command="oc_adm_policy_scc-review" + commands=() + + flags=() + two_word_flags=() + local_nonpersistent_flags=() + flags_with_completion=() + flags_completion=() + + flags+=("--allow-missing-template-keys") + local_nonpersistent_flags+=("--allow-missing-template-keys") + flags+=("--filename=") + flags_with_completion+=("--filename") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + two_word_flags+=("-f") + flags_with_completion+=("-f") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + local_nonpersistent_flags+=("--filename=") + flags+=("--no-headers") + local_nonpersistent_flags+=("--no-headers") + flags+=("--output=") + two_word_flags+=("-o") + local_nonpersistent_flags+=("--output=") + flags+=("--output-version=") + local_nonpersistent_flags+=("--output-version=") + flags+=("--recursive") + flags+=("-R") + local_nonpersistent_flags+=("--recursive") + flags+=("--serviceaccount=") + two_word_flags+=("-z") + local_nonpersistent_flags+=("--serviceaccount=") + flags+=("--show-all") + flags+=("-a") + local_nonpersistent_flags+=("--show-all") + flags+=("--show-labels") + local_nonpersistent_flags+=("--show-labels") + flags+=("--sort-by=") + local_nonpersistent_flags+=("--sort-by=") + flags+=("--template=") + flags_with_completion+=("--template") + flags_completion+=("_filedir") + local_nonpersistent_flags+=("--template=") + flags+=("--as=") + flags+=("--certificate-authority=") + flags_with_completion+=("--certificate-authority") + flags_completion+=("_filedir") + flags+=("--client-certificate=") + flags_with_completion+=("--client-certificate") + flags_completion+=("_filedir") + flags+=("--client-key=") + flags_with_completion+=("--client-key") + flags_completion+=("_filedir") + flags+=("--cluster=") + flags+=("--config=") + flags_with_completion+=("--config") + flags_completion+=("_filedir") + flags+=("--context=") + flags+=("--insecure-skip-tls-verify") + flags+=("--log-flush-frequency=") + flags+=("--loglevel=") + flags+=("--logspec=") + flags+=("--match-server-version") + flags+=("--namespace=") + two_word_flags+=("-n") + flags+=("--request-timeout=") + flags+=("--server=") + flags+=("--token=") + flags+=("--user=") + + must_have_one_flag=() + must_have_one_noun=() + noun_aliases=() +} + +_oc_adm_policy_scc-subject-review() +{ + last_command="oc_adm_policy_scc-subject-review" + commands=() + + flags=() + two_word_flags=() + local_nonpersistent_flags=() + flags_with_completion=() + flags_completion=() + + flags+=("--allow-missing-template-keys") + local_nonpersistent_flags+=("--allow-missing-template-keys") + flags+=("--filename=") + flags_with_completion+=("--filename") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + two_word_flags+=("-f") + flags_with_completion+=("-f") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + local_nonpersistent_flags+=("--filename=") + flags+=("--groups=") + two_word_flags+=("-g") + local_nonpersistent_flags+=("--groups=") + flags+=("--no-headers") + local_nonpersistent_flags+=("--no-headers") + flags+=("--output=") + two_word_flags+=("-o") + local_nonpersistent_flags+=("--output=") + flags+=("--output-version=") + local_nonpersistent_flags+=("--output-version=") + flags+=("--recursive") + flags+=("-R") + local_nonpersistent_flags+=("--recursive") + flags+=("--serviceaccount=") + two_word_flags+=("-z") + local_nonpersistent_flags+=("--serviceaccount=") + flags+=("--show-all") + flags+=("-a") + local_nonpersistent_flags+=("--show-all") + flags+=("--show-labels") + local_nonpersistent_flags+=("--show-labels") + flags+=("--sort-by=") + local_nonpersistent_flags+=("--sort-by=") + flags+=("--template=") + flags_with_completion+=("--template") + flags_completion+=("_filedir") + local_nonpersistent_flags+=("--template=") + flags+=("--user=") + two_word_flags+=("-u") + local_nonpersistent_flags+=("--user=") + flags+=("--as=") + flags+=("--certificate-authority=") + flags_with_completion+=("--certificate-authority") + flags_completion+=("_filedir") + flags+=("--client-certificate=") + flags_with_completion+=("--client-certificate") + flags_completion+=("_filedir") + flags+=("--client-key=") + flags_with_completion+=("--client-key") + flags_completion+=("_filedir") + flags+=("--cluster=") + flags+=("--config=") + flags_with_completion+=("--config") + flags_completion+=("_filedir") + flags+=("--context=") + flags+=("--insecure-skip-tls-verify") + flags+=("--log-flush-frequency=") + flags+=("--loglevel=") + flags+=("--logspec=") + flags+=("--match-server-version") + flags+=("--namespace=") + two_word_flags+=("-n") + flags+=("--request-timeout=") + flags+=("--server=") + flags+=("--token=") + + must_have_one_flag=() + must_have_one_noun=() + noun_aliases=() +} + _oc_adm_policy_who-can() { last_command="oc_adm_policy_who-can" @@ -4338,6 +4495,8 @@ _oc_adm_policy() commands+=("remove-scc-from-group") commands+=("remove-scc-from-user") commands+=("remove-user") + commands+=("scc-review") + commands+=("scc-subject-review") commands+=("who-can") flags=() @@ -12378,6 +12537,171 @@ _oc_policy_remove-user() noun_aliases=() } +_oc_policy_scc-review() +{ + last_command="oc_policy_scc-review" + commands=() + + flags=() + two_word_flags=() + local_nonpersistent_flags=() + flags_with_completion=() + flags_completion=() + + flags+=("--allow-missing-template-keys") + local_nonpersistent_flags+=("--allow-missing-template-keys") + flags+=("--filename=") + flags_with_completion+=("--filename") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + two_word_flags+=("-f") + flags_with_completion+=("-f") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + local_nonpersistent_flags+=("--filename=") + flags+=("--no-headers") + local_nonpersistent_flags+=("--no-headers") + flags+=("--output=") + two_word_flags+=("-o") + local_nonpersistent_flags+=("--output=") + flags+=("--output-version=") + local_nonpersistent_flags+=("--output-version=") + flags+=("--recursive") + flags+=("-R") + local_nonpersistent_flags+=("--recursive") + flags+=("--serviceaccount=") + two_word_flags+=("-z") + local_nonpersistent_flags+=("--serviceaccount=") + flags+=("--show-all") + flags+=("-a") + local_nonpersistent_flags+=("--show-all") + flags+=("--show-labels") + local_nonpersistent_flags+=("--show-labels") + flags+=("--sort-by=") + local_nonpersistent_flags+=("--sort-by=") + flags+=("--template=") + flags_with_completion+=("--template") + flags_completion+=("_filedir") + local_nonpersistent_flags+=("--template=") + flags+=("--as=") + flags+=("--certificate-authority=") + flags_with_completion+=("--certificate-authority") + flags_completion+=("_filedir") + flags+=("--client-certificate=") + flags_with_completion+=("--client-certificate") + flags_completion+=("_filedir") + flags+=("--client-key=") + flags_with_completion+=("--client-key") + flags_completion+=("_filedir") + flags+=("--cluster=") + flags+=("--config=") + flags_with_completion+=("--config") + flags_completion+=("_filedir") + flags+=("--context=") + flags+=("--insecure-skip-tls-verify") + flags+=("--log-flush-frequency=") + flags+=("--loglevel=") + flags+=("--logspec=") + flags+=("--match-server-version") + flags+=("--namespace=") + flags_with_completion+=("--namespace") + flags_completion+=("__oc_get_namespaces") + two_word_flags+=("-n") + flags_with_completion+=("-n") + flags_completion+=("__oc_get_namespaces") + flags+=("--request-timeout=") + flags+=("--server=") + flags+=("--token=") + flags+=("--user=") + + must_have_one_flag=() + must_have_one_noun=() + noun_aliases=() +} + +_oc_policy_scc-subject-review() +{ + last_command="oc_policy_scc-subject-review" + commands=() + + flags=() + two_word_flags=() + local_nonpersistent_flags=() + flags_with_completion=() + flags_completion=() + + flags+=("--allow-missing-template-keys") + local_nonpersistent_flags+=("--allow-missing-template-keys") + flags+=("--filename=") + flags_with_completion+=("--filename") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + two_word_flags+=("-f") + flags_with_completion+=("-f") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + local_nonpersistent_flags+=("--filename=") + flags+=("--groups=") + two_word_flags+=("-g") + local_nonpersistent_flags+=("--groups=") + flags+=("--no-headers") + local_nonpersistent_flags+=("--no-headers") + flags+=("--output=") + two_word_flags+=("-o") + local_nonpersistent_flags+=("--output=") + flags+=("--output-version=") + local_nonpersistent_flags+=("--output-version=") + flags+=("--recursive") + flags+=("-R") + local_nonpersistent_flags+=("--recursive") + flags+=("--serviceaccount=") + two_word_flags+=("-z") + local_nonpersistent_flags+=("--serviceaccount=") + flags+=("--show-all") + flags+=("-a") + local_nonpersistent_flags+=("--show-all") + flags+=("--show-labels") + local_nonpersistent_flags+=("--show-labels") + flags+=("--sort-by=") + local_nonpersistent_flags+=("--sort-by=") + flags+=("--template=") + flags_with_completion+=("--template") + flags_completion+=("_filedir") + local_nonpersistent_flags+=("--template=") + flags+=("--user=") + two_word_flags+=("-u") + local_nonpersistent_flags+=("--user=") + flags+=("--as=") + flags+=("--certificate-authority=") + flags_with_completion+=("--certificate-authority") + flags_completion+=("_filedir") + flags+=("--client-certificate=") + flags_with_completion+=("--client-certificate") + flags_completion+=("_filedir") + flags+=("--client-key=") + flags_with_completion+=("--client-key") + flags_completion+=("_filedir") + flags+=("--cluster=") + flags+=("--config=") + flags_with_completion+=("--config") + flags_completion+=("_filedir") + flags+=("--context=") + flags+=("--insecure-skip-tls-verify") + flags+=("--log-flush-frequency=") + flags+=("--loglevel=") + flags+=("--logspec=") + flags+=("--match-server-version") + flags+=("--namespace=") + flags_with_completion+=("--namespace") + flags_completion+=("__oc_get_namespaces") + two_word_flags+=("-n") + flags_with_completion+=("-n") + flags_completion+=("__oc_get_namespaces") + flags+=("--request-timeout=") + flags+=("--server=") + flags+=("--token=") + + must_have_one_flag=() + must_have_one_noun=() + noun_aliases=() +} + _oc_policy_who-can() { last_command="oc_policy_who-can" @@ -12438,6 +12762,8 @@ _oc_policy() commands+=("remove-role-from-group") commands+=("remove-role-from-user") commands+=("remove-user") + commands+=("scc-review") + commands+=("scc-subject-review") commands+=("who-can") flags=() diff --git a/contrib/completions/zsh/openshift b/contrib/completions/zsh/openshift index 11cdcdb1f8e6..35b25a2933fc 100644 --- a/contrib/completions/zsh/openshift +++ b/contrib/completions/zsh/openshift @@ -4249,6 +4249,167 @@ _openshift_admin_policy_remove-user() noun_aliases=() } +_openshift_admin_policy_scc-review() +{ + last_command="openshift_admin_policy_scc-review" + commands=() + + flags=() + two_word_flags=() + local_nonpersistent_flags=() + flags_with_completion=() + flags_completion=() + + flags+=("--allow-missing-template-keys") + local_nonpersistent_flags+=("--allow-missing-template-keys") + flags+=("--filename=") + flags_with_completion+=("--filename") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + two_word_flags+=("-f") + flags_with_completion+=("-f") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + local_nonpersistent_flags+=("--filename=") + flags+=("--no-headers") + local_nonpersistent_flags+=("--no-headers") + flags+=("--output=") + two_word_flags+=("-o") + local_nonpersistent_flags+=("--output=") + flags+=("--output-version=") + local_nonpersistent_flags+=("--output-version=") + flags+=("--recursive") + flags+=("-R") + local_nonpersistent_flags+=("--recursive") + flags+=("--serviceaccount=") + two_word_flags+=("-z") + local_nonpersistent_flags+=("--serviceaccount=") + flags+=("--show-all") + flags+=("-a") + local_nonpersistent_flags+=("--show-all") + flags+=("--show-labels") + local_nonpersistent_flags+=("--show-labels") + flags+=("--sort-by=") + local_nonpersistent_flags+=("--sort-by=") + flags+=("--template=") + flags_with_completion+=("--template") + flags_completion+=("_filedir") + local_nonpersistent_flags+=("--template=") + flags+=("--as=") + flags+=("--azure-container-registry-config=") + flags+=("--certificate-authority=") + flags_with_completion+=("--certificate-authority") + flags_completion+=("_filedir") + flags+=("--client-certificate=") + flags_with_completion+=("--client-certificate") + flags_completion+=("_filedir") + flags+=("--client-key=") + flags_with_completion+=("--client-key") + flags_completion+=("_filedir") + flags+=("--cluster=") + flags+=("--config=") + flags_with_completion+=("--config") + flags_completion+=("_filedir") + flags+=("--context=") + flags+=("--google-json-key=") + flags+=("--insecure-skip-tls-verify") + flags+=("--log-flush-frequency=") + flags+=("--loglevel=") + flags+=("--logspec=") + flags+=("--match-server-version") + flags+=("--namespace=") + two_word_flags+=("-n") + flags+=("--request-timeout=") + flags+=("--server=") + flags+=("--token=") + flags+=("--user=") + + must_have_one_flag=() + must_have_one_noun=() + noun_aliases=() +} + +_openshift_admin_policy_scc-subject-review() +{ + last_command="openshift_admin_policy_scc-subject-review" + commands=() + + flags=() + two_word_flags=() + local_nonpersistent_flags=() + flags_with_completion=() + flags_completion=() + + flags+=("--allow-missing-template-keys") + local_nonpersistent_flags+=("--allow-missing-template-keys") + flags+=("--filename=") + flags_with_completion+=("--filename") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + two_word_flags+=("-f") + flags_with_completion+=("-f") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + local_nonpersistent_flags+=("--filename=") + flags+=("--groups=") + two_word_flags+=("-g") + local_nonpersistent_flags+=("--groups=") + flags+=("--no-headers") + local_nonpersistent_flags+=("--no-headers") + flags+=("--output=") + two_word_flags+=("-o") + local_nonpersistent_flags+=("--output=") + flags+=("--output-version=") + local_nonpersistent_flags+=("--output-version=") + flags+=("--recursive") + flags+=("-R") + local_nonpersistent_flags+=("--recursive") + flags+=("--serviceaccount=") + two_word_flags+=("-z") + local_nonpersistent_flags+=("--serviceaccount=") + flags+=("--show-all") + flags+=("-a") + local_nonpersistent_flags+=("--show-all") + flags+=("--show-labels") + local_nonpersistent_flags+=("--show-labels") + flags+=("--sort-by=") + local_nonpersistent_flags+=("--sort-by=") + flags+=("--template=") + flags_with_completion+=("--template") + flags_completion+=("_filedir") + local_nonpersistent_flags+=("--template=") + flags+=("--user=") + two_word_flags+=("-u") + local_nonpersistent_flags+=("--user=") + flags+=("--as=") + flags+=("--azure-container-registry-config=") + flags+=("--certificate-authority=") + flags_with_completion+=("--certificate-authority") + flags_completion+=("_filedir") + flags+=("--client-certificate=") + flags_with_completion+=("--client-certificate") + flags_completion+=("_filedir") + flags+=("--client-key=") + flags_with_completion+=("--client-key") + flags_completion+=("_filedir") + flags+=("--cluster=") + flags+=("--config=") + flags_with_completion+=("--config") + flags_completion+=("_filedir") + flags+=("--context=") + flags+=("--google-json-key=") + flags+=("--insecure-skip-tls-verify") + flags+=("--log-flush-frequency=") + flags+=("--loglevel=") + flags+=("--logspec=") + flags+=("--match-server-version") + flags+=("--namespace=") + two_word_flags+=("-n") + flags+=("--request-timeout=") + flags+=("--server=") + flags+=("--token=") + + must_have_one_flag=() + must_have_one_noun=() + noun_aliases=() +} + _openshift_admin_policy_who-can() { last_command="openshift_admin_policy_who-can" @@ -4317,6 +4478,8 @@ _openshift_admin_policy() commands+=("remove-scc-from-group") commands+=("remove-scc-from-user") commands+=("remove-user") + commands+=("scc-review") + commands+=("scc-subject-review") commands+=("who-can") flags=() @@ -9167,6 +9330,167 @@ _openshift_cli_adm_policy_remove-user() noun_aliases=() } +_openshift_cli_adm_policy_scc-review() +{ + last_command="openshift_cli_adm_policy_scc-review" + commands=() + + flags=() + two_word_flags=() + local_nonpersistent_flags=() + flags_with_completion=() + flags_completion=() + + flags+=("--allow-missing-template-keys") + local_nonpersistent_flags+=("--allow-missing-template-keys") + flags+=("--filename=") + flags_with_completion+=("--filename") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + two_word_flags+=("-f") + flags_with_completion+=("-f") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + local_nonpersistent_flags+=("--filename=") + flags+=("--no-headers") + local_nonpersistent_flags+=("--no-headers") + flags+=("--output=") + two_word_flags+=("-o") + local_nonpersistent_flags+=("--output=") + flags+=("--output-version=") + local_nonpersistent_flags+=("--output-version=") + flags+=("--recursive") + flags+=("-R") + local_nonpersistent_flags+=("--recursive") + flags+=("--serviceaccount=") + two_word_flags+=("-z") + local_nonpersistent_flags+=("--serviceaccount=") + flags+=("--show-all") + flags+=("-a") + local_nonpersistent_flags+=("--show-all") + flags+=("--show-labels") + local_nonpersistent_flags+=("--show-labels") + flags+=("--sort-by=") + local_nonpersistent_flags+=("--sort-by=") + flags+=("--template=") + flags_with_completion+=("--template") + flags_completion+=("_filedir") + local_nonpersistent_flags+=("--template=") + flags+=("--as=") + flags+=("--azure-container-registry-config=") + flags+=("--certificate-authority=") + flags_with_completion+=("--certificate-authority") + flags_completion+=("_filedir") + flags+=("--client-certificate=") + flags_with_completion+=("--client-certificate") + flags_completion+=("_filedir") + flags+=("--client-key=") + flags_with_completion+=("--client-key") + flags_completion+=("_filedir") + flags+=("--cluster=") + flags+=("--config=") + flags_with_completion+=("--config") + flags_completion+=("_filedir") + flags+=("--context=") + flags+=("--google-json-key=") + flags+=("--insecure-skip-tls-verify") + flags+=("--log-flush-frequency=") + flags+=("--loglevel=") + flags+=("--logspec=") + flags+=("--match-server-version") + flags+=("--namespace=") + two_word_flags+=("-n") + flags+=("--request-timeout=") + flags+=("--server=") + flags+=("--token=") + flags+=("--user=") + + must_have_one_flag=() + must_have_one_noun=() + noun_aliases=() +} + +_openshift_cli_adm_policy_scc-subject-review() +{ + last_command="openshift_cli_adm_policy_scc-subject-review" + commands=() + + flags=() + two_word_flags=() + local_nonpersistent_flags=() + flags_with_completion=() + flags_completion=() + + flags+=("--allow-missing-template-keys") + local_nonpersistent_flags+=("--allow-missing-template-keys") + flags+=("--filename=") + flags_with_completion+=("--filename") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + two_word_flags+=("-f") + flags_with_completion+=("-f") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + local_nonpersistent_flags+=("--filename=") + flags+=("--groups=") + two_word_flags+=("-g") + local_nonpersistent_flags+=("--groups=") + flags+=("--no-headers") + local_nonpersistent_flags+=("--no-headers") + flags+=("--output=") + two_word_flags+=("-o") + local_nonpersistent_flags+=("--output=") + flags+=("--output-version=") + local_nonpersistent_flags+=("--output-version=") + flags+=("--recursive") + flags+=("-R") + local_nonpersistent_flags+=("--recursive") + flags+=("--serviceaccount=") + two_word_flags+=("-z") + local_nonpersistent_flags+=("--serviceaccount=") + flags+=("--show-all") + flags+=("-a") + local_nonpersistent_flags+=("--show-all") + flags+=("--show-labels") + local_nonpersistent_flags+=("--show-labels") + flags+=("--sort-by=") + local_nonpersistent_flags+=("--sort-by=") + flags+=("--template=") + flags_with_completion+=("--template") + flags_completion+=("_filedir") + local_nonpersistent_flags+=("--template=") + flags+=("--user=") + two_word_flags+=("-u") + local_nonpersistent_flags+=("--user=") + flags+=("--as=") + flags+=("--azure-container-registry-config=") + flags+=("--certificate-authority=") + flags_with_completion+=("--certificate-authority") + flags_completion+=("_filedir") + flags+=("--client-certificate=") + flags_with_completion+=("--client-certificate") + flags_completion+=("_filedir") + flags+=("--client-key=") + flags_with_completion+=("--client-key") + flags_completion+=("_filedir") + flags+=("--cluster=") + flags+=("--config=") + flags_with_completion+=("--config") + flags_completion+=("_filedir") + flags+=("--context=") + flags+=("--google-json-key=") + flags+=("--insecure-skip-tls-verify") + flags+=("--log-flush-frequency=") + flags+=("--loglevel=") + flags+=("--logspec=") + flags+=("--match-server-version") + flags+=("--namespace=") + two_word_flags+=("-n") + flags+=("--request-timeout=") + flags+=("--server=") + flags+=("--token=") + + must_have_one_flag=() + must_have_one_noun=() + noun_aliases=() +} + _openshift_cli_adm_policy_who-can() { last_command="openshift_cli_adm_policy_who-can" @@ -9235,6 +9559,8 @@ _openshift_cli_adm_policy() commands+=("remove-scc-from-group") commands+=("remove-scc-from-user") commands+=("remove-user") + commands+=("scc-review") + commands+=("scc-subject-review") commands+=("who-can") flags=() @@ -17481,6 +17807,175 @@ _openshift_cli_policy_remove-user() noun_aliases=() } +_openshift_cli_policy_scc-review() +{ + last_command="openshift_cli_policy_scc-review" + commands=() + + flags=() + two_word_flags=() + local_nonpersistent_flags=() + flags_with_completion=() + flags_completion=() + + flags+=("--allow-missing-template-keys") + local_nonpersistent_flags+=("--allow-missing-template-keys") + flags+=("--filename=") + flags_with_completion+=("--filename") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + two_word_flags+=("-f") + flags_with_completion+=("-f") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + local_nonpersistent_flags+=("--filename=") + flags+=("--no-headers") + local_nonpersistent_flags+=("--no-headers") + flags+=("--output=") + two_word_flags+=("-o") + local_nonpersistent_flags+=("--output=") + flags+=("--output-version=") + local_nonpersistent_flags+=("--output-version=") + flags+=("--recursive") + flags+=("-R") + local_nonpersistent_flags+=("--recursive") + flags+=("--serviceaccount=") + two_word_flags+=("-z") + local_nonpersistent_flags+=("--serviceaccount=") + flags+=("--show-all") + flags+=("-a") + local_nonpersistent_flags+=("--show-all") + flags+=("--show-labels") + local_nonpersistent_flags+=("--show-labels") + flags+=("--sort-by=") + local_nonpersistent_flags+=("--sort-by=") + flags+=("--template=") + flags_with_completion+=("--template") + flags_completion+=("_filedir") + local_nonpersistent_flags+=("--template=") + flags+=("--as=") + flags+=("--azure-container-registry-config=") + flags+=("--certificate-authority=") + flags_with_completion+=("--certificate-authority") + flags_completion+=("_filedir") + flags+=("--client-certificate=") + flags_with_completion+=("--client-certificate") + flags_completion+=("_filedir") + flags+=("--client-key=") + flags_with_completion+=("--client-key") + flags_completion+=("_filedir") + flags+=("--cluster=") + flags+=("--config=") + flags_with_completion+=("--config") + flags_completion+=("_filedir") + flags+=("--context=") + flags+=("--google-json-key=") + flags+=("--insecure-skip-tls-verify") + flags+=("--log-flush-frequency=") + flags+=("--loglevel=") + flags+=("--logspec=") + flags+=("--match-server-version") + flags+=("--namespace=") + flags_with_completion+=("--namespace") + flags_completion+=("__oc_get_namespaces") + two_word_flags+=("-n") + flags_with_completion+=("-n") + flags_completion+=("__oc_get_namespaces") + flags+=("--request-timeout=") + flags+=("--server=") + flags+=("--token=") + flags+=("--user=") + + must_have_one_flag=() + must_have_one_noun=() + noun_aliases=() +} + +_openshift_cli_policy_scc-subject-review() +{ + last_command="openshift_cli_policy_scc-subject-review" + commands=() + + flags=() + two_word_flags=() + local_nonpersistent_flags=() + flags_with_completion=() + flags_completion=() + + flags+=("--allow-missing-template-keys") + local_nonpersistent_flags+=("--allow-missing-template-keys") + flags+=("--filename=") + flags_with_completion+=("--filename") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + two_word_flags+=("-f") + flags_with_completion+=("-f") + flags_completion+=("__handle_filename_extension_flag json|yaml|yml") + local_nonpersistent_flags+=("--filename=") + flags+=("--groups=") + two_word_flags+=("-g") + local_nonpersistent_flags+=("--groups=") + flags+=("--no-headers") + local_nonpersistent_flags+=("--no-headers") + flags+=("--output=") + two_word_flags+=("-o") + local_nonpersistent_flags+=("--output=") + flags+=("--output-version=") + local_nonpersistent_flags+=("--output-version=") + flags+=("--recursive") + flags+=("-R") + local_nonpersistent_flags+=("--recursive") + flags+=("--serviceaccount=") + two_word_flags+=("-z") + local_nonpersistent_flags+=("--serviceaccount=") + flags+=("--show-all") + flags+=("-a") + local_nonpersistent_flags+=("--show-all") + flags+=("--show-labels") + local_nonpersistent_flags+=("--show-labels") + flags+=("--sort-by=") + local_nonpersistent_flags+=("--sort-by=") + flags+=("--template=") + flags_with_completion+=("--template") + flags_completion+=("_filedir") + local_nonpersistent_flags+=("--template=") + flags+=("--user=") + two_word_flags+=("-u") + local_nonpersistent_flags+=("--user=") + flags+=("--as=") + flags+=("--azure-container-registry-config=") + flags+=("--certificate-authority=") + flags_with_completion+=("--certificate-authority") + flags_completion+=("_filedir") + flags+=("--client-certificate=") + flags_with_completion+=("--client-certificate") + flags_completion+=("_filedir") + flags+=("--client-key=") + flags_with_completion+=("--client-key") + flags_completion+=("_filedir") + flags+=("--cluster=") + flags+=("--config=") + flags_with_completion+=("--config") + flags_completion+=("_filedir") + flags+=("--context=") + flags+=("--google-json-key=") + flags+=("--insecure-skip-tls-verify") + flags+=("--log-flush-frequency=") + flags+=("--loglevel=") + flags+=("--logspec=") + flags+=("--match-server-version") + flags+=("--namespace=") + flags_with_completion+=("--namespace") + flags_completion+=("__oc_get_namespaces") + two_word_flags+=("-n") + flags_with_completion+=("-n") + flags_completion+=("__oc_get_namespaces") + flags+=("--request-timeout=") + flags+=("--server=") + flags+=("--token=") + + must_have_one_flag=() + must_have_one_noun=() + noun_aliases=() +} + _openshift_cli_policy_who-can() { last_command="openshift_cli_policy_who-can" @@ -17543,6 +18038,8 @@ _openshift_cli_policy() commands+=("remove-role-from-group") commands+=("remove-role-from-user") commands+=("remove-user") + commands+=("scc-review") + commands+=("scc-subject-review") commands+=("who-can") flags=() diff --git a/docs/generated/oadm_by_example_content.adoc b/docs/generated/oadm_by_example_content.adoc index 1d22f404d7dd..c97bb9f0384f 100644 --- a/docs/generated/oadm_by_example_content.adoc +++ b/docs/generated/oadm_by_example_content.adoc @@ -579,6 +579,48 @@ Replace cluster SCCs to match the recommended bootstrap policy ==== +== oadm policy scc-review +Checks which ServiceAccount can create a Pod + +==== + +[options="nowrap"] +---- + # Check whether Service Accounts sa1 and sa2 can admit a Pod with TemplatePodSpec specified in my_resource.yaml + # Service Account specified in myresource.yaml file is ignored + $ oadm policy scc-review -z sa1,sa2 -f my_resource.yaml + + # Check whether Service Accounts system:serviceaccount:bob:default can admit a Pod with TemplatePodSpec specified in my_resource.yaml + $ oadm policy scc-review -z system:serviceaccount:bob:default -f my_resource.yaml + + # Check whether Service Account specified in my_resource_with_sa.yaml can admit the Pod + $ oadm policy scc-review -f my_resource_with_sa.yaml + + # Check whether default Service Account can admit the Pod, default is taken since no Service Account is defined in myresource_with_no_sa.yaml + $ oadm policy scc-review -f myresource_with_no_sa.yaml +---- +==== + + +== oadm policy scc-subject-review +Check whether a user or a ServiceAccount can create a Pod. + +==== + +[options="nowrap"] +---- + # Check whether user bob can create a pod specified in myresource.yaml + $ oadm policy scc-subject-review -u bob -f myresource.yaml + + # Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml + $ oadm policy scc-subject-review -u bob -g projectAdmin -f myresource.yaml + + # Check whether ServiceAccount specified in podTemplateSpec in myresourcewithsa.yaml can create the Pod + $ oadm policy scc-subject-review -f myresourcewithsa.yaml +---- +==== + + == oadm prune builds Remove old completed and failed builds diff --git a/docs/generated/oc_by_example_content.adoc b/docs/generated/oc_by_example_content.adoc index bf43fa7c5b2c..450b21a045e0 100644 --- a/docs/generated/oc_by_example_content.adoc +++ b/docs/generated/oc_by_example_content.adoc @@ -579,6 +579,48 @@ Replace cluster SCCs to match the recommended bootstrap policy ==== +== oc adm policy scc-review +Checks which ServiceAccount can create a Pod + +==== + +[options="nowrap"] +---- + # Check whether Service Accounts sa1 and sa2 can admit a Pod with TemplatePodSpec specified in my_resource.yaml + # Service Account specified in myresource.yaml file is ignored + $ oc adm policy scc-review -z sa1,sa2 -f my_resource.yaml + + # Check whether Service Accounts system:serviceaccount:bob:default can admit a Pod with TemplatePodSpec specified in my_resource.yaml + $ oc adm policy scc-review -z system:serviceaccount:bob:default -f my_resource.yaml + + # Check whether Service Account specified in my_resource_with_sa.yaml can admit the Pod + $ oc adm policy scc-review -f my_resource_with_sa.yaml + + # Check whether default Service Account can admit the Pod, default is taken since no Service Account is defined in myresource_with_no_sa.yaml + $ oc adm policy scc-review -f myresource_with_no_sa.yaml +---- +==== + + +== oc adm policy scc-subject-review +Check whether a user or a ServiceAccount can create a Pod. + +==== + +[options="nowrap"] +---- + # Check whether user bob can create a pod specified in myresource.yaml + $ oc adm policy scc-subject-review -u bob -f myresource.yaml + + # Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml + $ oc adm policy scc-subject-review -u bob -g projectAdmin -f myresource.yaml + + # Check whether ServiceAccount specified in podTemplateSpec in myresourcewithsa.yaml can create the Pod + $ oc adm policy scc-subject-review -f myresourcewithsa.yaml +---- +==== + + == oc adm prune builds Remove old completed and failed builds @@ -2090,6 +2132,48 @@ Add a role to users or serviceaccounts for the current project ==== +== oc policy scc-review +Checks which ServiceAccount can create a Pod + +==== + +[options="nowrap"] +---- + # Check whether Service Accounts sa1 and sa2 can admit a Pod with TemplatePodSpec specified in my_resource.yaml + # Service Account specified in myresource.yaml file is ignored + $ oc policy scc-review -z sa1,sa2 -f my_resource.yaml + + # Check whether Service Accounts system:serviceaccount:bob:default can admit a Pod with TemplatePodSpec specified in my_resource.yaml + $ oc policy scc-review -z system:serviceaccount:bob:default -f my_resource.yaml + + # Check whether Service Account specified in my_resource_with_sa.yaml can admit the Pod + $ oc policy scc-review -f my_resource_with_sa.yaml + + # Check whether default Service Account can admit the Pod, default is taken since no Service Account is defined in myresource_with_no_sa.yaml + $ oc policy scc-review -f myresource_with_no_sa.yaml +---- +==== + + +== oc policy scc-subject-review +Check whether a user or a ServiceAccount can create a Pod. + +==== + +[options="nowrap"] +---- + # Check whether user bob can create a pod specified in myresource.yaml + $ oc policy scc-subject-review -u bob -f myresource.yaml + + # Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml + $ oc policy scc-subject-review -u bob -g projectAdmin -f myresource.yaml + + # Check whether ServiceAccount specified in podTemplateSpec in myresourcewithsa.yaml can create the Pod + $ oc policy scc-subject-review -f myresourcewithsa.yaml +---- +==== + + == oc port-forward Forward one or more local ports to a pod diff --git a/docs/man/man1/.files_generated_oadm b/docs/man/man1/.files_generated_oadm index 3458da37b822..a051de4cc3f9 100644 --- a/docs/man/man1/.files_generated_oadm +++ b/docs/man/man1/.files_generated_oadm @@ -73,6 +73,8 @@ oadm-policy-remove-role-from-user.1 oadm-policy-remove-scc-from-group.1 oadm-policy-remove-scc-from-user.1 oadm-policy-remove-user.1 +oadm-policy-scc-review.1 +oadm-policy-scc-subject-review.1 oadm-policy-who-can.1 oadm-policy.1 oadm-prune-builds.1 diff --git a/docs/man/man1/.files_generated_oc b/docs/man/man1/.files_generated_oc index d63dc88d87a5..96abf6e46549 100644 --- a/docs/man/man1/.files_generated_oc +++ b/docs/man/man1/.files_generated_oc @@ -73,6 +73,8 @@ oc-adm-policy-remove-role-from-user.1 oc-adm-policy-remove-scc-from-group.1 oc-adm-policy-remove-scc-from-user.1 oc-adm-policy-remove-user.1 +oc-adm-policy-scc-review.1 +oc-adm-policy-scc-subject-review.1 oc-adm-policy-who-can.1 oc-adm-policy.1 oc-adm-prune-builds.1 @@ -178,6 +180,8 @@ oc-policy-remove-group.1 oc-policy-remove-role-from-group.1 oc-policy-remove-role-from-user.1 oc-policy-remove-user.1 +oc-policy-scc-review.1 +oc-policy-scc-subject-review.1 oc-policy-who-can.1 oc-policy.1 oc-port-forward.1 diff --git a/docs/man/man1/.files_generated_openshift b/docs/man/man1/.files_generated_openshift index 523c3ea58680..0e30e24869a3 100644 --- a/docs/man/man1/.files_generated_openshift +++ b/docs/man/man1/.files_generated_openshift @@ -73,6 +73,8 @@ openshift-admin-policy-remove-role-from-user.1 openshift-admin-policy-remove-scc-from-group.1 openshift-admin-policy-remove-scc-from-user.1 openshift-admin-policy-remove-user.1 +openshift-admin-policy-scc-review.1 +openshift-admin-policy-scc-subject-review.1 openshift-admin-policy-who-can.1 openshift-admin-policy.1 openshift-admin-prune-builds.1 @@ -165,6 +167,8 @@ openshift-cli-adm-policy-remove-role-from-user.1 openshift-cli-adm-policy-remove-scc-from-group.1 openshift-cli-adm-policy-remove-scc-from-user.1 openshift-cli-adm-policy-remove-user.1 +openshift-cli-adm-policy-scc-review.1 +openshift-cli-adm-policy-scc-subject-review.1 openshift-cli-adm-policy-who-can.1 openshift-cli-adm-policy.1 openshift-cli-adm-prune-builds.1 @@ -270,6 +274,8 @@ openshift-cli-policy-remove-group.1 openshift-cli-policy-remove-role-from-group.1 openshift-cli-policy-remove-role-from-user.1 openshift-cli-policy-remove-user.1 +openshift-cli-policy-scc-review.1 +openshift-cli-policy-scc-subject-review.1 openshift-cli-policy-who-can.1 openshift-cli-policy.1 openshift-cli-port-forward.1 diff --git a/docs/man/man1/oadm-policy-scc-review.1 b/docs/man/man1/oadm-policy-scc-review.1 new file mode 100644 index 000000000000..902184009a64 --- /dev/null +++ b/docs/man/man1/oadm-policy-scc-review.1 @@ -0,0 +1,172 @@ +.TH "OADM POLICY" "1" " Openshift CLI User Manuals" "Openshift" "June 2016" "" + + +.SH NAME +.PP +oadm policy scc\-review \- Checks which ServiceAccount can create a Pod + + +.SH SYNOPSIS +.PP +\fBoadm policy scc\-review\fP [OPTIONS] + + +.SH DESCRIPTION +.PP +Checks which Service Account can create a Pod. The Pod is inferred from the PodTemplateSpec in the provided resource. If no Service Account is provided the one specified in podTemplateSpec.spec.serviceAccountName is used, unless it is empty, in which case "default" is used. If Service Accounts are provided the podTemplateSpec.spec.serviceAccountName is ignored. + + +.SH OPTIONS +.PP +\fB\-\-allow\-missing\-template\-keys\fP=true + If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. + +.PP +\fB\-f\fP, \fB\-\-filename\fP=[] + Filename, directory, or URL to files Filename, directory, or URL to a file identifying the resource to get from a server. + +.PP +\fB\-\-no\-headers\fP=false + When using the default or custom\-column output format, don't print headers. + +.PP +\fB\-o\fP, \fB\-\-output\fP="" + Output format. One of: json|yaml|wide|name|custom\-columns=...|custom\-columns\-file=...|go\-template=...|go\-template\-file=...|jsonpath=...|jsonpath\-file=... See custom columns [ +\[la]http://kubernetes.io/docs/user-guide/kubectl-overview/#custom-columns\[ra]], golang template [ +\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]] and jsonpath template [ +\[la]http://kubernetes.io/docs/user-guide/jsonpath\[ra]]. + +.PP +\fB\-\-output\-version\fP="" + Output the formatted object with the given group version (for ex: 'extensions/v1beta1'). + +.PP +\fB\-R\fP, \fB\-\-recursive\fP=false + Process the directory used in \-f, \-\-filename recursively. Useful when you want to manage related manifests organized within the same directory. + +.PP +\fB\-z\fP, \fB\-\-serviceaccount\fP=[] + service account in the current namespace to use as a user + +.PP +\fB\-a\fP, \fB\-\-show\-all\fP=false + When printing, show all resources (default hide terminated pods.) + +.PP +\fB\-\-show\-labels\fP=false + When printing, show all labels as the last column (default hide labels column) + +.PP +\fB\-\-sort\-by\fP="" + If non\-empty, sort list types using this field specification. The field specification is expressed as a JSONPath expression (e.g. '{.metadata.name}'). The field in the API resource specified by this JSONPath expression must be an integer or a string. + +.PP +\fB\-\-template\fP="" + Template string or path to template file to use when \-o=go\-template, \-o=go\-template\-file. The template format is golang templates [ +\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]]. + + +.SH OPTIONS INHERITED FROM PARENT COMMANDS +.PP +\fB\-\-api\-version\fP="" + DEPRECATED: The API version to use when talking to the server + +.PP +\fB\-\-as\fP="" + Username to impersonate for the operation + +.PP +\fB\-\-azure\-container\-registry\-config\fP="" + Path to the file container Azure container registry configuration information. + +.PP +\fB\-\-certificate\-authority\fP="" + Path to a cert. file for the certificate authority + +.PP +\fB\-\-client\-certificate\fP="" + Path to a client certificate file for TLS + +.PP +\fB\-\-client\-key\fP="" + Path to a client key file for TLS + +.PP +\fB\-\-cluster\fP="" + The name of the kubeconfig cluster to use + +.PP +\fB\-\-config\fP="" + Path to the config file to use for CLI requests. + +.PP +\fB\-\-context\fP="" + The name of the kubeconfig context to use + +.PP +\fB\-\-google\-json\-key\fP="" + The Google Cloud Platform Service Account JSON Key to use for authentication. + +.PP +\fB\-\-insecure\-skip\-tls\-verify\fP=false + If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + +.PP +\fB\-\-log\-flush\-frequency\fP=0 + Maximum number of seconds between log flushes + +.PP +\fB\-\-match\-server\-version\fP=false + Require server version to match client version + +.PP +\fB\-n\fP, \fB\-\-namespace\fP="" + If present, the namespace scope for this CLI request + +.PP +\fB\-\-request\-timeout\fP="0" + The length of time to wait before giving up on a single server request. Non\-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. + +.PP +\fB\-\-server\fP="" + The address and port of the Kubernetes API server + +.PP +\fB\-\-token\fP="" + Bearer token for authentication to the API server + +.PP +\fB\-\-user\fP="" + The name of the kubeconfig user to use + + +.SH EXAMPLE +.PP +.RS + +.nf + # Check whether Service Accounts sa1 and sa2 can admit a Pod with TemplatePodSpec specified in my\_resource.yaml + # Service Account specified in myresource.yaml file is ignored + $ oadm policy scc\-review \-z sa1,sa2 \-f my\_resource.yaml + + # Check whether Service Accounts system:serviceaccount:bob:default can admit a Pod with TemplatePodSpec specified in my\_resource.yaml + $ oadm policy scc\-review \-z system:serviceaccount:bob:default \-f my\_resource.yaml + + # Check whether Service Account specified in my\_resource\_with\_sa.yaml can admit the Pod + $ oadm policy scc\-review \-f my\_resource\_with\_sa.yaml + + # Check whether default Service Account can admit the Pod, default is taken since no Service Account is defined in myresource\_with\_no\_sa.yaml + $ oadm policy scc\-review \-f myresource\_with\_no\_sa.yaml + +.fi +.RE + + +.SH SEE ALSO +.PP +\fBoadm\-policy(1)\fP, + + +.SH HISTORY +.PP +June 2016, Ported from the Kubernetes man\-doc generator diff --git a/docs/man/man1/oadm-policy-scc-subject-review.1 b/docs/man/man1/oadm-policy-scc-subject-review.1 new file mode 100644 index 000000000000..499232a46ea8 --- /dev/null +++ b/docs/man/man1/oadm-policy-scc-subject-review.1 @@ -0,0 +1,172 @@ +.TH "OADM POLICY" "1" " Openshift CLI User Manuals" "Openshift" "June 2016" "" + + +.SH NAME +.PP +oadm policy scc\-subject\-review \- Check whether a user or a ServiceAccount can create a Pod. + + +.SH SYNOPSIS +.PP +\fBoadm policy scc\-subject\-review\fP [OPTIONS] + + +.SH DESCRIPTION +.PP +Check whether a User, Service Account or a Group can create a Pod. It returns a list of Security Context Constraints that will admit the resource. If User is specified but not Groups, it is interpreted as "What if User is not a member of any groups". If User and Groups are empty, then the check is performed using the current user + + +.SH OPTIONS +.PP +\fB\-\-allow\-missing\-template\-keys\fP=true + If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. + +.PP +\fB\-f\fP, \fB\-\-filename\fP=[] + Filename, directory, or URL to files Filename, directory, or URL to a file identifying the resource to get from a server. + +.PP +\fB\-g\fP, \fB\-\-groups\fP=[] + Comma separated, list of groups. Review will be performed on behalf of these groups + +.PP +\fB\-\-no\-headers\fP=false + When using the default or custom\-column output format, don't print headers. + +.PP +\fB\-o\fP, \fB\-\-output\fP="" + Output format. One of: json|yaml|wide|name|custom\-columns=...|custom\-columns\-file=...|go\-template=...|go\-template\-file=...|jsonpath=...|jsonpath\-file=... See custom columns [ +\[la]http://kubernetes.io/docs/user-guide/kubectl-overview/#custom-columns\[ra]], golang template [ +\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]] and jsonpath template [ +\[la]http://kubernetes.io/docs/user-guide/jsonpath\[ra]]. + +.PP +\fB\-\-output\-version\fP="" + Output the formatted object with the given group version (for ex: 'extensions/v1beta1'). + +.PP +\fB\-R\fP, \fB\-\-recursive\fP=false + Process the directory used in \-f, \-\-filename recursively. Useful when you want to manage related manifests organized within the same directory. + +.PP +\fB\-z\fP, \fB\-\-serviceaccount\fP="" + service account in the current namespace to use as a user + +.PP +\fB\-a\fP, \fB\-\-show\-all\fP=false + When printing, show all resources (default hide terminated pods.) + +.PP +\fB\-\-show\-labels\fP=false + When printing, show all labels as the last column (default hide labels column) + +.PP +\fB\-\-sort\-by\fP="" + If non\-empty, sort list types using this field specification. The field specification is expressed as a JSONPath expression (e.g. '{.metadata.name}'). The field in the API resource specified by this JSONPath expression must be an integer or a string. + +.PP +\fB\-\-template\fP="" + Template string or path to template file to use when \-o=go\-template, \-o=go\-template\-file. The template format is golang templates [ +\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]]. + +.PP +\fB\-u\fP, \fB\-\-user\fP="" + Review will be performed on behalf of this user + + +.SH OPTIONS INHERITED FROM PARENT COMMANDS +.PP +\fB\-\-api\-version\fP="" + DEPRECATED: The API version to use when talking to the server + +.PP +\fB\-\-as\fP="" + Username to impersonate for the operation + +.PP +\fB\-\-azure\-container\-registry\-config\fP="" + Path to the file container Azure container registry configuration information. + +.PP +\fB\-\-certificate\-authority\fP="" + Path to a cert. file for the certificate authority + +.PP +\fB\-\-client\-certificate\fP="" + Path to a client certificate file for TLS + +.PP +\fB\-\-client\-key\fP="" + Path to a client key file for TLS + +.PP +\fB\-\-cluster\fP="" + The name of the kubeconfig cluster to use + +.PP +\fB\-\-config\fP="" + Path to the config file to use for CLI requests. + +.PP +\fB\-\-context\fP="" + The name of the kubeconfig context to use + +.PP +\fB\-\-google\-json\-key\fP="" + The Google Cloud Platform Service Account JSON Key to use for authentication. + +.PP +\fB\-\-insecure\-skip\-tls\-verify\fP=false + If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + +.PP +\fB\-\-log\-flush\-frequency\fP=0 + Maximum number of seconds between log flushes + +.PP +\fB\-\-match\-server\-version\fP=false + Require server version to match client version + +.PP +\fB\-n\fP, \fB\-\-namespace\fP="" + If present, the namespace scope for this CLI request + +.PP +\fB\-\-request\-timeout\fP="0" + The length of time to wait before giving up on a single server request. Non\-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. + +.PP +\fB\-\-server\fP="" + The address and port of the Kubernetes API server + +.PP +\fB\-\-token\fP="" + Bearer token for authentication to the API server + + +.SH EXAMPLE +.PP +.RS + +.nf + # Check whether user bob can create a pod specified in myresource.yaml + $ oadm policy scc\-subject\-review \-u bob \-f myresource.yaml + + # Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml + $ oadm policy scc\-subject\-review \-u bob \-g projectAdmin \-f myresource.yaml + + # Check whether ServiceAccount specified in podTemplateSpec in myresourcewithsa.yaml can create the Pod + $ oadm policy scc\-subject\-review \-f myresourcewithsa.yaml + +.fi +.RE + + +.SH SEE ALSO +.PP +\fBoadm\-policy(1)\fP, + + +.SH HISTORY +.PP +June 2016, Ported from the Kubernetes man\-doc generator diff --git a/docs/man/man1/oadm-policy.1 b/docs/man/man1/oadm-policy.1 index 5fbbc229f902..1a9c3a0d2e3b 100644 --- a/docs/man/man1/oadm-policy.1 +++ b/docs/man/man1/oadm-policy.1 @@ -98,7 +98,7 @@ To see more information on roles and policies, use the 'get' and 'describe' comm .SH SEE ALSO .PP -\fBoadm(1)\fP, \fBoadm\-policy\-add\-cluster\-role\-to\-group(1)\fP, \fBoadm\-policy\-add\-cluster\-role\-to\-user(1)\fP, \fBoadm\-policy\-add\-role\-to\-group(1)\fP, \fBoadm\-policy\-add\-role\-to\-user(1)\fP, \fBoadm\-policy\-add\-scc\-to\-group(1)\fP, \fBoadm\-policy\-add\-scc\-to\-user(1)\fP, \fBoadm\-policy\-reconcile\-cluster\-role\-bindings(1)\fP, \fBoadm\-policy\-reconcile\-cluster\-roles(1)\fP, \fBoadm\-policy\-reconcile\-sccs(1)\fP, \fBoadm\-policy\-remove\-cluster\-role\-from\-group(1)\fP, \fBoadm\-policy\-remove\-cluster\-role\-from\-user(1)\fP, \fBoadm\-policy\-remove\-group(1)\fP, \fBoadm\-policy\-remove\-role\-from\-group(1)\fP, \fBoadm\-policy\-remove\-role\-from\-user(1)\fP, \fBoadm\-policy\-remove\-scc\-from\-group(1)\fP, \fBoadm\-policy\-remove\-scc\-from\-user(1)\fP, \fBoadm\-policy\-remove\-user(1)\fP, \fBoadm\-policy\-who\-can(1)\fP, +\fBoadm(1)\fP, \fBoadm\-policy\-add\-cluster\-role\-to\-group(1)\fP, \fBoadm\-policy\-add\-cluster\-role\-to\-user(1)\fP, \fBoadm\-policy\-add\-role\-to\-group(1)\fP, \fBoadm\-policy\-add\-role\-to\-user(1)\fP, \fBoadm\-policy\-add\-scc\-to\-group(1)\fP, \fBoadm\-policy\-add\-scc\-to\-user(1)\fP, \fBoadm\-policy\-reconcile\-cluster\-role\-bindings(1)\fP, \fBoadm\-policy\-reconcile\-cluster\-roles(1)\fP, \fBoadm\-policy\-reconcile\-sccs(1)\fP, \fBoadm\-policy\-remove\-cluster\-role\-from\-group(1)\fP, \fBoadm\-policy\-remove\-cluster\-role\-from\-user(1)\fP, \fBoadm\-policy\-remove\-group(1)\fP, \fBoadm\-policy\-remove\-role\-from\-group(1)\fP, \fBoadm\-policy\-remove\-role\-from\-user(1)\fP, \fBoadm\-policy\-remove\-scc\-from\-group(1)\fP, \fBoadm\-policy\-remove\-scc\-from\-user(1)\fP, \fBoadm\-policy\-remove\-user(1)\fP, \fBoadm\-policy\-scc\-review(1)\fP, \fBoadm\-policy\-scc\-subject\-review(1)\fP, \fBoadm\-policy\-who\-can(1)\fP, .SH HISTORY diff --git a/docs/man/man1/oc-adm-policy-scc-review.1 b/docs/man/man1/oc-adm-policy-scc-review.1 new file mode 100644 index 000000000000..2ece903978a1 --- /dev/null +++ b/docs/man/man1/oc-adm-policy-scc-review.1 @@ -0,0 +1,172 @@ +.TH "OC ADM POLICY" "1" " Openshift CLI User Manuals" "Openshift" "June 2016" "" + + +.SH NAME +.PP +oc adm policy scc\-review \- Checks which ServiceAccount can create a Pod + + +.SH SYNOPSIS +.PP +\fBoc adm policy scc\-review\fP [OPTIONS] + + +.SH DESCRIPTION +.PP +Checks which Service Account can create a Pod. The Pod is inferred from the PodTemplateSpec in the provided resource. If no Service Account is provided the one specified in podTemplateSpec.spec.serviceAccountName is used, unless it is empty, in which case "default" is used. If Service Accounts are provided the podTemplateSpec.spec.serviceAccountName is ignored. + + +.SH OPTIONS +.PP +\fB\-\-allow\-missing\-template\-keys\fP=true + If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. + +.PP +\fB\-f\fP, \fB\-\-filename\fP=[] + Filename, directory, or URL to files Filename, directory, or URL to a file identifying the resource to get from a server. + +.PP +\fB\-\-no\-headers\fP=false + When using the default or custom\-column output format, don't print headers. + +.PP +\fB\-o\fP, \fB\-\-output\fP="" + Output format. One of: json|yaml|wide|name|custom\-columns=...|custom\-columns\-file=...|go\-template=...|go\-template\-file=...|jsonpath=...|jsonpath\-file=... See custom columns [ +\[la]http://kubernetes.io/docs/user-guide/kubectl-overview/#custom-columns\[ra]], golang template [ +\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]] and jsonpath template [ +\[la]http://kubernetes.io/docs/user-guide/jsonpath\[ra]]. + +.PP +\fB\-\-output\-version\fP="" + Output the formatted object with the given group version (for ex: 'extensions/v1beta1'). + +.PP +\fB\-R\fP, \fB\-\-recursive\fP=false + Process the directory used in \-f, \-\-filename recursively. Useful when you want to manage related manifests organized within the same directory. + +.PP +\fB\-z\fP, \fB\-\-serviceaccount\fP=[] + service account in the current namespace to use as a user + +.PP +\fB\-a\fP, \fB\-\-show\-all\fP=true + When printing, show all resources (false means hide terminated pods.) + +.PP +\fB\-\-show\-labels\fP=false + When printing, show all labels as the last column (default hide labels column) + +.PP +\fB\-\-sort\-by\fP="" + If non\-empty, sort list types using this field specification. The field specification is expressed as a JSONPath expression (e.g. '{.metadata.name}'). The field in the API resource specified by this JSONPath expression must be an integer or a string. + +.PP +\fB\-\-template\fP="" + Template string or path to template file to use when \-o=go\-template, \-o=go\-template\-file. The template format is golang templates [ +\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]]. + + +.SH OPTIONS INHERITED FROM PARENT COMMANDS +.PP +\fB\-\-api\-version\fP="" + DEPRECATED: The API version to use when talking to the server + +.PP +\fB\-\-as\fP="" + Username to impersonate for the operation + +.PP +\fB\-\-azure\-container\-registry\-config\fP="" + Path to the file container Azure container registry configuration information. + +.PP +\fB\-\-certificate\-authority\fP="" + Path to a cert. file for the certificate authority + +.PP +\fB\-\-client\-certificate\fP="" + Path to a client certificate file for TLS + +.PP +\fB\-\-client\-key\fP="" + Path to a client key file for TLS + +.PP +\fB\-\-cluster\fP="" + The name of the kubeconfig cluster to use + +.PP +\fB\-\-config\fP="" + Path to the config file to use for CLI requests. + +.PP +\fB\-\-context\fP="" + The name of the kubeconfig context to use + +.PP +\fB\-\-google\-json\-key\fP="" + The Google Cloud Platform Service Account JSON Key to use for authentication. + +.PP +\fB\-\-insecure\-skip\-tls\-verify\fP=false + If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + +.PP +\fB\-\-log\-flush\-frequency\fP=0 + Maximum number of seconds between log flushes + +.PP +\fB\-\-match\-server\-version\fP=false + Require server version to match client version + +.PP +\fB\-n\fP, \fB\-\-namespace\fP="" + If present, the namespace scope for this CLI request + +.PP +\fB\-\-request\-timeout\fP="0" + The length of time to wait before giving up on a single server request. Non\-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. + +.PP +\fB\-\-server\fP="" + The address and port of the Kubernetes API server + +.PP +\fB\-\-token\fP="" + Bearer token for authentication to the API server + +.PP +\fB\-\-user\fP="" + The name of the kubeconfig user to use + + +.SH EXAMPLE +.PP +.RS + +.nf + # Check whether Service Accounts sa1 and sa2 can admit a Pod with TemplatePodSpec specified in my\_resource.yaml + # Service Account specified in myresource.yaml file is ignored + $ oc adm policy scc\-review \-z sa1,sa2 \-f my\_resource.yaml + + # Check whether Service Accounts system:serviceaccount:bob:default can admit a Pod with TemplatePodSpec specified in my\_resource.yaml + $ oc adm policy scc\-review \-z system:serviceaccount:bob:default \-f my\_resource.yaml + + # Check whether Service Account specified in my\_resource\_with\_sa.yaml can admit the Pod + $ oc adm policy scc\-review \-f my\_resource\_with\_sa.yaml + + # Check whether default Service Account can admit the Pod, default is taken since no Service Account is defined in myresource\_with\_no\_sa.yaml + $ oc adm policy scc\-review \-f myresource\_with\_no\_sa.yaml + +.fi +.RE + + +.SH SEE ALSO +.PP +\fBoc\-adm\-policy(1)\fP, + + +.SH HISTORY +.PP +June 2016, Ported from the Kubernetes man\-doc generator diff --git a/docs/man/man1/oc-adm-policy-scc-subject-review.1 b/docs/man/man1/oc-adm-policy-scc-subject-review.1 new file mode 100644 index 000000000000..8a7fbfb7e793 --- /dev/null +++ b/docs/man/man1/oc-adm-policy-scc-subject-review.1 @@ -0,0 +1,172 @@ +.TH "OC ADM POLICY" "1" " Openshift CLI User Manuals" "Openshift" "June 2016" "" + + +.SH NAME +.PP +oc adm policy scc\-subject\-review \- Check whether a user or a ServiceAccount can create a Pod. + + +.SH SYNOPSIS +.PP +\fBoc adm policy scc\-subject\-review\fP [OPTIONS] + + +.SH DESCRIPTION +.PP +Check whether a User, Service Account or a Group can create a Pod. It returns a list of Security Context Constraints that will admit the resource. If User is specified but not Groups, it is interpreted as "What if User is not a member of any groups". If User and Groups are empty, then the check is performed using the current user + + +.SH OPTIONS +.PP +\fB\-\-allow\-missing\-template\-keys\fP=true + If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. + +.PP +\fB\-f\fP, \fB\-\-filename\fP=[] + Filename, directory, or URL to files Filename, directory, or URL to a file identifying the resource to get from a server. + +.PP +\fB\-g\fP, \fB\-\-groups\fP=[] + Comma separated, list of groups. Review will be performed on behalf of these groups + +.PP +\fB\-\-no\-headers\fP=false + When using the default or custom\-column output format, don't print headers. + +.PP +\fB\-o\fP, \fB\-\-output\fP="" + Output format. One of: json|yaml|wide|name|custom\-columns=...|custom\-columns\-file=...|go\-template=...|go\-template\-file=...|jsonpath=...|jsonpath\-file=... See custom columns [ +\[la]http://kubernetes.io/docs/user-guide/kubectl-overview/#custom-columns\[ra]], golang template [ +\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]] and jsonpath template [ +\[la]http://kubernetes.io/docs/user-guide/jsonpath\[ra]]. + +.PP +\fB\-\-output\-version\fP="" + Output the formatted object with the given group version (for ex: 'extensions/v1beta1'). + +.PP +\fB\-R\fP, \fB\-\-recursive\fP=false + Process the directory used in \-f, \-\-filename recursively. Useful when you want to manage related manifests organized within the same directory. + +.PP +\fB\-z\fP, \fB\-\-serviceaccount\fP="" + service account in the current namespace to use as a user + +.PP +\fB\-a\fP, \fB\-\-show\-all\fP=true + When printing, show all resources (false means hide terminated pods.) + +.PP +\fB\-\-show\-labels\fP=false + When printing, show all labels as the last column (default hide labels column) + +.PP +\fB\-\-sort\-by\fP="" + If non\-empty, sort list types using this field specification. The field specification is expressed as a JSONPath expression (e.g. '{.metadata.name}'). The field in the API resource specified by this JSONPath expression must be an integer or a string. + +.PP +\fB\-\-template\fP="" + Template string or path to template file to use when \-o=go\-template, \-o=go\-template\-file. The template format is golang templates [ +\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]]. + +.PP +\fB\-u\fP, \fB\-\-user\fP="" + Review will be performed on behalf of this user + + +.SH OPTIONS INHERITED FROM PARENT COMMANDS +.PP +\fB\-\-api\-version\fP="" + DEPRECATED: The API version to use when talking to the server + +.PP +\fB\-\-as\fP="" + Username to impersonate for the operation + +.PP +\fB\-\-azure\-container\-registry\-config\fP="" + Path to the file container Azure container registry configuration information. + +.PP +\fB\-\-certificate\-authority\fP="" + Path to a cert. file for the certificate authority + +.PP +\fB\-\-client\-certificate\fP="" + Path to a client certificate file for TLS + +.PP +\fB\-\-client\-key\fP="" + Path to a client key file for TLS + +.PP +\fB\-\-cluster\fP="" + The name of the kubeconfig cluster to use + +.PP +\fB\-\-config\fP="" + Path to the config file to use for CLI requests. + +.PP +\fB\-\-context\fP="" + The name of the kubeconfig context to use + +.PP +\fB\-\-google\-json\-key\fP="" + The Google Cloud Platform Service Account JSON Key to use for authentication. + +.PP +\fB\-\-insecure\-skip\-tls\-verify\fP=false + If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + +.PP +\fB\-\-log\-flush\-frequency\fP=0 + Maximum number of seconds between log flushes + +.PP +\fB\-\-match\-server\-version\fP=false + Require server version to match client version + +.PP +\fB\-n\fP, \fB\-\-namespace\fP="" + If present, the namespace scope for this CLI request + +.PP +\fB\-\-request\-timeout\fP="0" + The length of time to wait before giving up on a single server request. Non\-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. + +.PP +\fB\-\-server\fP="" + The address and port of the Kubernetes API server + +.PP +\fB\-\-token\fP="" + Bearer token for authentication to the API server + + +.SH EXAMPLE +.PP +.RS + +.nf + # Check whether user bob can create a pod specified in myresource.yaml + $ oc adm policy scc\-subject\-review \-u bob \-f myresource.yaml + + # Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml + $ oc adm policy scc\-subject\-review \-u bob \-g projectAdmin \-f myresource.yaml + + # Check whether ServiceAccount specified in podTemplateSpec in myresourcewithsa.yaml can create the Pod + $ oc adm policy scc\-subject\-review \-f myresourcewithsa.yaml + +.fi +.RE + + +.SH SEE ALSO +.PP +\fBoc\-adm\-policy(1)\fP, + + +.SH HISTORY +.PP +June 2016, Ported from the Kubernetes man\-doc generator diff --git a/docs/man/man1/oc-adm-policy.1 b/docs/man/man1/oc-adm-policy.1 index a3cff9003686..96ce937a7642 100644 --- a/docs/man/man1/oc-adm-policy.1 +++ b/docs/man/man1/oc-adm-policy.1 @@ -98,7 +98,7 @@ To see more information on roles and policies, use the 'get' and 'describe' comm .SH SEE ALSO .PP -\fBoc\-adm(1)\fP, \fBoc\-adm\-policy\-add\-cluster\-role\-to\-group(1)\fP, \fBoc\-adm\-policy\-add\-cluster\-role\-to\-user(1)\fP, \fBoc\-adm\-policy\-add\-role\-to\-group(1)\fP, \fBoc\-adm\-policy\-add\-role\-to\-user(1)\fP, \fBoc\-adm\-policy\-add\-scc\-to\-group(1)\fP, \fBoc\-adm\-policy\-add\-scc\-to\-user(1)\fP, \fBoc\-adm\-policy\-reconcile\-cluster\-role\-bindings(1)\fP, \fBoc\-adm\-policy\-reconcile\-cluster\-roles(1)\fP, \fBoc\-adm\-policy\-reconcile\-sccs(1)\fP, \fBoc\-adm\-policy\-remove\-cluster\-role\-from\-group(1)\fP, \fBoc\-adm\-policy\-remove\-cluster\-role\-from\-user(1)\fP, \fBoc\-adm\-policy\-remove\-group(1)\fP, \fBoc\-adm\-policy\-remove\-role\-from\-group(1)\fP, \fBoc\-adm\-policy\-remove\-role\-from\-user(1)\fP, \fBoc\-adm\-policy\-remove\-scc\-from\-group(1)\fP, \fBoc\-adm\-policy\-remove\-scc\-from\-user(1)\fP, \fBoc\-adm\-policy\-remove\-user(1)\fP, \fBoc\-adm\-policy\-who\-can(1)\fP, +\fBoc\-adm(1)\fP, \fBoc\-adm\-policy\-add\-cluster\-role\-to\-group(1)\fP, \fBoc\-adm\-policy\-add\-cluster\-role\-to\-user(1)\fP, \fBoc\-adm\-policy\-add\-role\-to\-group(1)\fP, \fBoc\-adm\-policy\-add\-role\-to\-user(1)\fP, \fBoc\-adm\-policy\-add\-scc\-to\-group(1)\fP, \fBoc\-adm\-policy\-add\-scc\-to\-user(1)\fP, \fBoc\-adm\-policy\-reconcile\-cluster\-role\-bindings(1)\fP, \fBoc\-adm\-policy\-reconcile\-cluster\-roles(1)\fP, \fBoc\-adm\-policy\-reconcile\-sccs(1)\fP, \fBoc\-adm\-policy\-remove\-cluster\-role\-from\-group(1)\fP, \fBoc\-adm\-policy\-remove\-cluster\-role\-from\-user(1)\fP, \fBoc\-adm\-policy\-remove\-group(1)\fP, \fBoc\-adm\-policy\-remove\-role\-from\-group(1)\fP, \fBoc\-adm\-policy\-remove\-role\-from\-user(1)\fP, \fBoc\-adm\-policy\-remove\-scc\-from\-group(1)\fP, \fBoc\-adm\-policy\-remove\-scc\-from\-user(1)\fP, \fBoc\-adm\-policy\-remove\-user(1)\fP, \fBoc\-adm\-policy\-scc\-review(1)\fP, \fBoc\-adm\-policy\-scc\-subject\-review(1)\fP, \fBoc\-adm\-policy\-who\-can(1)\fP, .SH HISTORY diff --git a/docs/man/man1/oc-policy-scc-review.1 b/docs/man/man1/oc-policy-scc-review.1 new file mode 100644 index 000000000000..11abc458feb9 --- /dev/null +++ b/docs/man/man1/oc-policy-scc-review.1 @@ -0,0 +1,172 @@ +.TH "OC POLICY" "1" " Openshift CLI User Manuals" "Openshift" "June 2016" "" + + +.SH NAME +.PP +oc policy scc\-review \- Checks which ServiceAccount can create a Pod + + +.SH SYNOPSIS +.PP +\fBoc policy scc\-review\fP [OPTIONS] + + +.SH DESCRIPTION +.PP +Checks which Service Account can create a Pod. The Pod is inferred from the PodTemplateSpec in the provided resource. If no Service Account is provided the one specified in podTemplateSpec.spec.serviceAccountName is used, unless it is empty, in which case "default" is used. If Service Accounts are provided the podTemplateSpec.spec.serviceAccountName is ignored. + + +.SH OPTIONS +.PP +\fB\-\-allow\-missing\-template\-keys\fP=true + If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. + +.PP +\fB\-f\fP, \fB\-\-filename\fP=[] + Filename, directory, or URL to files Filename, directory, or URL to a file identifying the resource to get from a server. + +.PP +\fB\-\-no\-headers\fP=false + When using the default or custom\-column output format, don't print headers. + +.PP +\fB\-o\fP, \fB\-\-output\fP="" + Output format. One of: json|yaml|wide|name|custom\-columns=...|custom\-columns\-file=...|go\-template=...|go\-template\-file=...|jsonpath=...|jsonpath\-file=... See custom columns [ +\[la]http://kubernetes.io/docs/user-guide/kubectl-overview/#custom-columns\[ra]], golang template [ +\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]] and jsonpath template [ +\[la]http://kubernetes.io/docs/user-guide/jsonpath\[ra]]. + +.PP +\fB\-\-output\-version\fP="" + Output the formatted object with the given group version (for ex: 'extensions/v1beta1'). + +.PP +\fB\-R\fP, \fB\-\-recursive\fP=false + Process the directory used in \-f, \-\-filename recursively. Useful when you want to manage related manifests organized within the same directory. + +.PP +\fB\-z\fP, \fB\-\-serviceaccount\fP=[] + service account in the current namespace to use as a user + +.PP +\fB\-a\fP, \fB\-\-show\-all\fP=true + When printing, show all resources (false means hide terminated pods.) + +.PP +\fB\-\-show\-labels\fP=false + When printing, show all labels as the last column (default hide labels column) + +.PP +\fB\-\-sort\-by\fP="" + If non\-empty, sort list types using this field specification. The field specification is expressed as a JSONPath expression (e.g. '{.metadata.name}'). The field in the API resource specified by this JSONPath expression must be an integer or a string. + +.PP +\fB\-\-template\fP="" + Template string or path to template file to use when \-o=go\-template, \-o=go\-template\-file. The template format is golang templates [ +\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]]. + + +.SH OPTIONS INHERITED FROM PARENT COMMANDS +.PP +\fB\-\-api\-version\fP="" + DEPRECATED: The API version to use when talking to the server + +.PP +\fB\-\-as\fP="" + Username to impersonate for the operation + +.PP +\fB\-\-azure\-container\-registry\-config\fP="" + Path to the file container Azure container registry configuration information. + +.PP +\fB\-\-certificate\-authority\fP="" + Path to a cert. file for the certificate authority + +.PP +\fB\-\-client\-certificate\fP="" + Path to a client certificate file for TLS + +.PP +\fB\-\-client\-key\fP="" + Path to a client key file for TLS + +.PP +\fB\-\-cluster\fP="" + The name of the kubeconfig cluster to use + +.PP +\fB\-\-config\fP="" + Path to the config file to use for CLI requests. + +.PP +\fB\-\-context\fP="" + The name of the kubeconfig context to use + +.PP +\fB\-\-google\-json\-key\fP="" + The Google Cloud Platform Service Account JSON Key to use for authentication. + +.PP +\fB\-\-insecure\-skip\-tls\-verify\fP=false + If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + +.PP +\fB\-\-log\-flush\-frequency\fP=0 + Maximum number of seconds between log flushes + +.PP +\fB\-\-match\-server\-version\fP=false + Require server version to match client version + +.PP +\fB\-n\fP, \fB\-\-namespace\fP="" + If present, the namespace scope for this CLI request + +.PP +\fB\-\-request\-timeout\fP="0" + The length of time to wait before giving up on a single server request. Non\-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. + +.PP +\fB\-\-server\fP="" + The address and port of the Kubernetes API server + +.PP +\fB\-\-token\fP="" + Bearer token for authentication to the API server + +.PP +\fB\-\-user\fP="" + The name of the kubeconfig user to use + + +.SH EXAMPLE +.PP +.RS + +.nf + # Check whether Service Accounts sa1 and sa2 can admit a Pod with TemplatePodSpec specified in my\_resource.yaml + # Service Account specified in myresource.yaml file is ignored + $ oc policy scc\-review \-z sa1,sa2 \-f my\_resource.yaml + + # Check whether Service Accounts system:serviceaccount:bob:default can admit a Pod with TemplatePodSpec specified in my\_resource.yaml + $ oc policy scc\-review \-z system:serviceaccount:bob:default \-f my\_resource.yaml + + # Check whether Service Account specified in my\_resource\_with\_sa.yaml can admit the Pod + $ oc policy scc\-review \-f my\_resource\_with\_sa.yaml + + # Check whether default Service Account can admit the Pod, default is taken since no Service Account is defined in myresource\_with\_no\_sa.yaml + $ oc policy scc\-review \-f myresource\_with\_no\_sa.yaml + +.fi +.RE + + +.SH SEE ALSO +.PP +\fBoc\-policy(1)\fP, + + +.SH HISTORY +.PP +June 2016, Ported from the Kubernetes man\-doc generator diff --git a/docs/man/man1/oc-policy-scc-subject-review.1 b/docs/man/man1/oc-policy-scc-subject-review.1 new file mode 100644 index 000000000000..91c470eb22a6 --- /dev/null +++ b/docs/man/man1/oc-policy-scc-subject-review.1 @@ -0,0 +1,172 @@ +.TH "OC POLICY" "1" " Openshift CLI User Manuals" "Openshift" "June 2016" "" + + +.SH NAME +.PP +oc policy scc\-subject\-review \- Check whether a user or a ServiceAccount can create a Pod. + + +.SH SYNOPSIS +.PP +\fBoc policy scc\-subject\-review\fP [OPTIONS] + + +.SH DESCRIPTION +.PP +Check whether a User, Service Account or a Group can create a Pod. It returns a list of Security Context Constraints that will admit the resource. If User is specified but not Groups, it is interpreted as "What if User is not a member of any groups". If User and Groups are empty, then the check is performed using the current user + + +.SH OPTIONS +.PP +\fB\-\-allow\-missing\-template\-keys\fP=true + If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. + +.PP +\fB\-f\fP, \fB\-\-filename\fP=[] + Filename, directory, or URL to files Filename, directory, or URL to a file identifying the resource to get from a server. + +.PP +\fB\-g\fP, \fB\-\-groups\fP=[] + Comma separated, list of groups. Review will be performed on behalf of these groups + +.PP +\fB\-\-no\-headers\fP=false + When using the default or custom\-column output format, don't print headers. + +.PP +\fB\-o\fP, \fB\-\-output\fP="" + Output format. One of: json|yaml|wide|name|custom\-columns=...|custom\-columns\-file=...|go\-template=...|go\-template\-file=...|jsonpath=...|jsonpath\-file=... See custom columns [ +\[la]http://kubernetes.io/docs/user-guide/kubectl-overview/#custom-columns\[ra]], golang template [ +\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]] and jsonpath template [ +\[la]http://kubernetes.io/docs/user-guide/jsonpath\[ra]]. + +.PP +\fB\-\-output\-version\fP="" + Output the formatted object with the given group version (for ex: 'extensions/v1beta1'). + +.PP +\fB\-R\fP, \fB\-\-recursive\fP=false + Process the directory used in \-f, \-\-filename recursively. Useful when you want to manage related manifests organized within the same directory. + +.PP +\fB\-z\fP, \fB\-\-serviceaccount\fP="" + service account in the current namespace to use as a user + +.PP +\fB\-a\fP, \fB\-\-show\-all\fP=true + When printing, show all resources (false means hide terminated pods.) + +.PP +\fB\-\-show\-labels\fP=false + When printing, show all labels as the last column (default hide labels column) + +.PP +\fB\-\-sort\-by\fP="" + If non\-empty, sort list types using this field specification. The field specification is expressed as a JSONPath expression (e.g. '{.metadata.name}'). The field in the API resource specified by this JSONPath expression must be an integer or a string. + +.PP +\fB\-\-template\fP="" + Template string or path to template file to use when \-o=go\-template, \-o=go\-template\-file. The template format is golang templates [ +\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]]. + +.PP +\fB\-u\fP, \fB\-\-user\fP="" + Review will be performed on behalf of this user + + +.SH OPTIONS INHERITED FROM PARENT COMMANDS +.PP +\fB\-\-api\-version\fP="" + DEPRECATED: The API version to use when talking to the server + +.PP +\fB\-\-as\fP="" + Username to impersonate for the operation + +.PP +\fB\-\-azure\-container\-registry\-config\fP="" + Path to the file container Azure container registry configuration information. + +.PP +\fB\-\-certificate\-authority\fP="" + Path to a cert. file for the certificate authority + +.PP +\fB\-\-client\-certificate\fP="" + Path to a client certificate file for TLS + +.PP +\fB\-\-client\-key\fP="" + Path to a client key file for TLS + +.PP +\fB\-\-cluster\fP="" + The name of the kubeconfig cluster to use + +.PP +\fB\-\-config\fP="" + Path to the config file to use for CLI requests. + +.PP +\fB\-\-context\fP="" + The name of the kubeconfig context to use + +.PP +\fB\-\-google\-json\-key\fP="" + The Google Cloud Platform Service Account JSON Key to use for authentication. + +.PP +\fB\-\-insecure\-skip\-tls\-verify\fP=false + If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + +.PP +\fB\-\-log\-flush\-frequency\fP=0 + Maximum number of seconds between log flushes + +.PP +\fB\-\-match\-server\-version\fP=false + Require server version to match client version + +.PP +\fB\-n\fP, \fB\-\-namespace\fP="" + If present, the namespace scope for this CLI request + +.PP +\fB\-\-request\-timeout\fP="0" + The length of time to wait before giving up on a single server request. Non\-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. + +.PP +\fB\-\-server\fP="" + The address and port of the Kubernetes API server + +.PP +\fB\-\-token\fP="" + Bearer token for authentication to the API server + + +.SH EXAMPLE +.PP +.RS + +.nf + # Check whether user bob can create a pod specified in myresource.yaml + $ oc policy scc\-subject\-review \-u bob \-f myresource.yaml + + # Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml + $ oc policy scc\-subject\-review \-u bob \-g projectAdmin \-f myresource.yaml + + # Check whether ServiceAccount specified in podTemplateSpec in myresourcewithsa.yaml can create the Pod + $ oc policy scc\-subject\-review \-f myresourcewithsa.yaml + +.fi +.RE + + +.SH SEE ALSO +.PP +\fBoc\-policy(1)\fP, + + +.SH HISTORY +.PP +June 2016, Ported from the Kubernetes man\-doc generator diff --git a/docs/man/man1/oc-policy.1 b/docs/man/man1/oc-policy.1 index 562e5fbf77e0..c24934990ea2 100644 --- a/docs/man/man1/oc-policy.1 +++ b/docs/man/man1/oc-policy.1 @@ -92,7 +92,7 @@ Manage authorization policy .SH SEE ALSO .PP -\fBoc(1)\fP, \fBoc\-policy\-add\-role\-to\-group(1)\fP, \fBoc\-policy\-add\-role\-to\-user(1)\fP, \fBoc\-policy\-can\-i(1)\fP, \fBoc\-policy\-remove\-group(1)\fP, \fBoc\-policy\-remove\-role\-from\-group(1)\fP, \fBoc\-policy\-remove\-role\-from\-user(1)\fP, \fBoc\-policy\-remove\-user(1)\fP, \fBoc\-policy\-who\-can(1)\fP, +\fBoc(1)\fP, \fBoc\-policy\-add\-role\-to\-group(1)\fP, \fBoc\-policy\-add\-role\-to\-user(1)\fP, \fBoc\-policy\-can\-i(1)\fP, \fBoc\-policy\-remove\-group(1)\fP, \fBoc\-policy\-remove\-role\-from\-group(1)\fP, \fBoc\-policy\-remove\-role\-from\-user(1)\fP, \fBoc\-policy\-remove\-user(1)\fP, \fBoc\-policy\-scc\-review(1)\fP, \fBoc\-policy\-scc\-subject\-review(1)\fP, \fBoc\-policy\-who\-can(1)\fP, .SH HISTORY diff --git a/docs/man/man1/openshift-admin-policy-scc-review.1 b/docs/man/man1/openshift-admin-policy-scc-review.1 new file mode 100644 index 000000000000..d50ed296bcf4 --- /dev/null +++ b/docs/man/man1/openshift-admin-policy-scc-review.1 @@ -0,0 +1,172 @@ +.TH "OPENSHIFT ADMIN POLICY" "1" " Openshift CLI User Manuals" "Openshift" "June 2016" "" + + +.SH NAME +.PP +openshift admin policy scc\-review \- Checks which ServiceAccount can create a Pod + + +.SH SYNOPSIS +.PP +\fBopenshift admin policy scc\-review\fP [OPTIONS] + + +.SH DESCRIPTION +.PP +Checks which Service Account can create a Pod. The Pod is inferred from the PodTemplateSpec in the provided resource. If no Service Account is provided the one specified in podTemplateSpec.spec.serviceAccountName is used, unless it is empty, in which case "default" is used. If Service Accounts are provided the podTemplateSpec.spec.serviceAccountName is ignored. + + +.SH OPTIONS +.PP +\fB\-\-allow\-missing\-template\-keys\fP=true + If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. + +.PP +\fB\-f\fP, \fB\-\-filename\fP=[] + Filename, directory, or URL to files Filename, directory, or URL to a file identifying the resource to get from a server. + +.PP +\fB\-\-no\-headers\fP=false + When using the default or custom\-column output format, don't print headers. + +.PP +\fB\-o\fP, \fB\-\-output\fP="" + Output format. One of: json|yaml|wide|name|custom\-columns=...|custom\-columns\-file=...|go\-template=...|go\-template\-file=...|jsonpath=...|jsonpath\-file=... See custom columns [ +\[la]http://kubernetes.io/docs/user-guide/kubectl-overview/#custom-columns\[ra]], golang template [ +\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]] and jsonpath template [ +\[la]http://kubernetes.io/docs/user-guide/jsonpath\[ra]]. + +.PP +\fB\-\-output\-version\fP="" + Output the formatted object with the given group version (for ex: 'extensions/v1beta1'). + +.PP +\fB\-R\fP, \fB\-\-recursive\fP=false + Process the directory used in \-f, \-\-filename recursively. Useful when you want to manage related manifests organized within the same directory. + +.PP +\fB\-z\fP, \fB\-\-serviceaccount\fP=[] + service account in the current namespace to use as a user + +.PP +\fB\-a\fP, \fB\-\-show\-all\fP=false + When printing, show all resources (default hide terminated pods.) + +.PP +\fB\-\-show\-labels\fP=false + When printing, show all labels as the last column (default hide labels column) + +.PP +\fB\-\-sort\-by\fP="" + If non\-empty, sort list types using this field specification. The field specification is expressed as a JSONPath expression (e.g. '{.metadata.name}'). The field in the API resource specified by this JSONPath expression must be an integer or a string. + +.PP +\fB\-\-template\fP="" + Template string or path to template file to use when \-o=go\-template, \-o=go\-template\-file. The template format is golang templates [ +\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]]. + + +.SH OPTIONS INHERITED FROM PARENT COMMANDS +.PP +\fB\-\-api\-version\fP="" + DEPRECATED: The API version to use when talking to the server + +.PP +\fB\-\-as\fP="" + Username to impersonate for the operation + +.PP +\fB\-\-azure\-container\-registry\-config\fP="" + Path to the file container Azure container registry configuration information. + +.PP +\fB\-\-certificate\-authority\fP="" + Path to a cert. file for the certificate authority + +.PP +\fB\-\-client\-certificate\fP="" + Path to a client certificate file for TLS + +.PP +\fB\-\-client\-key\fP="" + Path to a client key file for TLS + +.PP +\fB\-\-cluster\fP="" + The name of the kubeconfig cluster to use + +.PP +\fB\-\-config\fP="" + Path to the config file to use for CLI requests. + +.PP +\fB\-\-context\fP="" + The name of the kubeconfig context to use + +.PP +\fB\-\-google\-json\-key\fP="" + The Google Cloud Platform Service Account JSON Key to use for authentication. + +.PP +\fB\-\-insecure\-skip\-tls\-verify\fP=false + If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + +.PP +\fB\-\-log\-flush\-frequency\fP=0 + Maximum number of seconds between log flushes + +.PP +\fB\-\-match\-server\-version\fP=false + Require server version to match client version + +.PP +\fB\-n\fP, \fB\-\-namespace\fP="" + If present, the namespace scope for this CLI request + +.PP +\fB\-\-request\-timeout\fP="0" + The length of time to wait before giving up on a single server request. Non\-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. + +.PP +\fB\-\-server\fP="" + The address and port of the Kubernetes API server + +.PP +\fB\-\-token\fP="" + Bearer token for authentication to the API server + +.PP +\fB\-\-user\fP="" + The name of the kubeconfig user to use + + +.SH EXAMPLE +.PP +.RS + +.nf + # Check whether Service Accounts sa1 and sa2 can admit a Pod with TemplatePodSpec specified in my\_resource.yaml + # Service Account specified in myresource.yaml file is ignored + $ openshift admin policy scc\-review \-z sa1,sa2 \-f my\_resource.yaml + + # Check whether Service Accounts system:serviceaccount:bob:default can admit a Pod with TemplatePodSpec specified in my\_resource.yaml + $ openshift admin policy scc\-review \-z system:serviceaccount:bob:default \-f my\_resource.yaml + + # Check whether Service Account specified in my\_resource\_with\_sa.yaml can admit the Pod + $ openshift admin policy scc\-review \-f my\_resource\_with\_sa.yaml + + # Check whether default Service Account can admit the Pod, default is taken since no Service Account is defined in myresource\_with\_no\_sa.yaml + $ openshift admin policy scc\-review \-f myresource\_with\_no\_sa.yaml + +.fi +.RE + + +.SH SEE ALSO +.PP +\fBopenshift\-admin\-policy(1)\fP, + + +.SH HISTORY +.PP +June 2016, Ported from the Kubernetes man\-doc generator diff --git a/docs/man/man1/openshift-admin-policy-scc-subject-review.1 b/docs/man/man1/openshift-admin-policy-scc-subject-review.1 new file mode 100644 index 000000000000..6b6fc36cec9e --- /dev/null +++ b/docs/man/man1/openshift-admin-policy-scc-subject-review.1 @@ -0,0 +1,172 @@ +.TH "OPENSHIFT ADMIN POLICY" "1" " Openshift CLI User Manuals" "Openshift" "June 2016" "" + + +.SH NAME +.PP +openshift admin policy scc\-subject\-review \- Check whether a user or a ServiceAccount can create a Pod. + + +.SH SYNOPSIS +.PP +\fBopenshift admin policy scc\-subject\-review\fP [OPTIONS] + + +.SH DESCRIPTION +.PP +Check whether a User, Service Account or a Group can create a Pod. It returns a list of Security Context Constraints that will admit the resource. If User is specified but not Groups, it is interpreted as "What if User is not a member of any groups". If User and Groups are empty, then the check is performed using the current user + + +.SH OPTIONS +.PP +\fB\-\-allow\-missing\-template\-keys\fP=true + If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. + +.PP +\fB\-f\fP, \fB\-\-filename\fP=[] + Filename, directory, or URL to files Filename, directory, or URL to a file identifying the resource to get from a server. + +.PP +\fB\-g\fP, \fB\-\-groups\fP=[] + Comma separated, list of groups. Review will be performed on behalf of these groups + +.PP +\fB\-\-no\-headers\fP=false + When using the default or custom\-column output format, don't print headers. + +.PP +\fB\-o\fP, \fB\-\-output\fP="" + Output format. One of: json|yaml|wide|name|custom\-columns=...|custom\-columns\-file=...|go\-template=...|go\-template\-file=...|jsonpath=...|jsonpath\-file=... See custom columns [ +\[la]http://kubernetes.io/docs/user-guide/kubectl-overview/#custom-columns\[ra]], golang template [ +\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]] and jsonpath template [ +\[la]http://kubernetes.io/docs/user-guide/jsonpath\[ra]]. + +.PP +\fB\-\-output\-version\fP="" + Output the formatted object with the given group version (for ex: 'extensions/v1beta1'). + +.PP +\fB\-R\fP, \fB\-\-recursive\fP=false + Process the directory used in \-f, \-\-filename recursively. Useful when you want to manage related manifests organized within the same directory. + +.PP +\fB\-z\fP, \fB\-\-serviceaccount\fP="" + service account in the current namespace to use as a user + +.PP +\fB\-a\fP, \fB\-\-show\-all\fP=false + When printing, show all resources (default hide terminated pods.) + +.PP +\fB\-\-show\-labels\fP=false + When printing, show all labels as the last column (default hide labels column) + +.PP +\fB\-\-sort\-by\fP="" + If non\-empty, sort list types using this field specification. The field specification is expressed as a JSONPath expression (e.g. '{.metadata.name}'). The field in the API resource specified by this JSONPath expression must be an integer or a string. + +.PP +\fB\-\-template\fP="" + Template string or path to template file to use when \-o=go\-template, \-o=go\-template\-file. The template format is golang templates [ +\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]]. + +.PP +\fB\-u\fP, \fB\-\-user\fP="" + Review will be performed on behalf of this user + + +.SH OPTIONS INHERITED FROM PARENT COMMANDS +.PP +\fB\-\-api\-version\fP="" + DEPRECATED: The API version to use when talking to the server + +.PP +\fB\-\-as\fP="" + Username to impersonate for the operation + +.PP +\fB\-\-azure\-container\-registry\-config\fP="" + Path to the file container Azure container registry configuration information. + +.PP +\fB\-\-certificate\-authority\fP="" + Path to a cert. file for the certificate authority + +.PP +\fB\-\-client\-certificate\fP="" + Path to a client certificate file for TLS + +.PP +\fB\-\-client\-key\fP="" + Path to a client key file for TLS + +.PP +\fB\-\-cluster\fP="" + The name of the kubeconfig cluster to use + +.PP +\fB\-\-config\fP="" + Path to the config file to use for CLI requests. + +.PP +\fB\-\-context\fP="" + The name of the kubeconfig context to use + +.PP +\fB\-\-google\-json\-key\fP="" + The Google Cloud Platform Service Account JSON Key to use for authentication. + +.PP +\fB\-\-insecure\-skip\-tls\-verify\fP=false + If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + +.PP +\fB\-\-log\-flush\-frequency\fP=0 + Maximum number of seconds between log flushes + +.PP +\fB\-\-match\-server\-version\fP=false + Require server version to match client version + +.PP +\fB\-n\fP, \fB\-\-namespace\fP="" + If present, the namespace scope for this CLI request + +.PP +\fB\-\-request\-timeout\fP="0" + The length of time to wait before giving up on a single server request. Non\-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. + +.PP +\fB\-\-server\fP="" + The address and port of the Kubernetes API server + +.PP +\fB\-\-token\fP="" + Bearer token for authentication to the API server + + +.SH EXAMPLE +.PP +.RS + +.nf + # Check whether user bob can create a pod specified in myresource.yaml + $ openshift admin policy scc\-subject\-review \-u bob \-f myresource.yaml + + # Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml + $ openshift admin policy scc\-subject\-review \-u bob \-g projectAdmin \-f myresource.yaml + + # Check whether ServiceAccount specified in podTemplateSpec in myresourcewithsa.yaml can create the Pod + $ openshift admin policy scc\-subject\-review \-f myresourcewithsa.yaml + +.fi +.RE + + +.SH SEE ALSO +.PP +\fBopenshift\-admin\-policy(1)\fP, + + +.SH HISTORY +.PP +June 2016, Ported from the Kubernetes man\-doc generator diff --git a/docs/man/man1/openshift-admin-policy.1 b/docs/man/man1/openshift-admin-policy.1 index 82f45762a9e9..27c79e3815cc 100644 --- a/docs/man/man1/openshift-admin-policy.1 +++ b/docs/man/man1/openshift-admin-policy.1 @@ -98,7 +98,7 @@ To see more information on roles and policies, use the 'get' and 'describe' comm .SH SEE ALSO .PP -\fBopenshift\-admin(1)\fP, \fBopenshift\-admin\-policy\-add\-cluster\-role\-to\-group(1)\fP, \fBopenshift\-admin\-policy\-add\-cluster\-role\-to\-user(1)\fP, \fBopenshift\-admin\-policy\-add\-role\-to\-group(1)\fP, \fBopenshift\-admin\-policy\-add\-role\-to\-user(1)\fP, \fBopenshift\-admin\-policy\-add\-scc\-to\-group(1)\fP, \fBopenshift\-admin\-policy\-add\-scc\-to\-user(1)\fP, \fBopenshift\-admin\-policy\-reconcile\-cluster\-role\-bindings(1)\fP, \fBopenshift\-admin\-policy\-reconcile\-cluster\-roles(1)\fP, \fBopenshift\-admin\-policy\-reconcile\-sccs(1)\fP, \fBopenshift\-admin\-policy\-remove\-cluster\-role\-from\-group(1)\fP, \fBopenshift\-admin\-policy\-remove\-cluster\-role\-from\-user(1)\fP, \fBopenshift\-admin\-policy\-remove\-group(1)\fP, \fBopenshift\-admin\-policy\-remove\-role\-from\-group(1)\fP, \fBopenshift\-admin\-policy\-remove\-role\-from\-user(1)\fP, \fBopenshift\-admin\-policy\-remove\-scc\-from\-group(1)\fP, \fBopenshift\-admin\-policy\-remove\-scc\-from\-user(1)\fP, \fBopenshift\-admin\-policy\-remove\-user(1)\fP, \fBopenshift\-admin\-policy\-who\-can(1)\fP, +\fBopenshift\-admin(1)\fP, \fBopenshift\-admin\-policy\-add\-cluster\-role\-to\-group(1)\fP, \fBopenshift\-admin\-policy\-add\-cluster\-role\-to\-user(1)\fP, \fBopenshift\-admin\-policy\-add\-role\-to\-group(1)\fP, \fBopenshift\-admin\-policy\-add\-role\-to\-user(1)\fP, \fBopenshift\-admin\-policy\-add\-scc\-to\-group(1)\fP, \fBopenshift\-admin\-policy\-add\-scc\-to\-user(1)\fP, \fBopenshift\-admin\-policy\-reconcile\-cluster\-role\-bindings(1)\fP, \fBopenshift\-admin\-policy\-reconcile\-cluster\-roles(1)\fP, \fBopenshift\-admin\-policy\-reconcile\-sccs(1)\fP, \fBopenshift\-admin\-policy\-remove\-cluster\-role\-from\-group(1)\fP, \fBopenshift\-admin\-policy\-remove\-cluster\-role\-from\-user(1)\fP, \fBopenshift\-admin\-policy\-remove\-group(1)\fP, \fBopenshift\-admin\-policy\-remove\-role\-from\-group(1)\fP, \fBopenshift\-admin\-policy\-remove\-role\-from\-user(1)\fP, \fBopenshift\-admin\-policy\-remove\-scc\-from\-group(1)\fP, \fBopenshift\-admin\-policy\-remove\-scc\-from\-user(1)\fP, \fBopenshift\-admin\-policy\-remove\-user(1)\fP, \fBopenshift\-admin\-policy\-scc\-review(1)\fP, \fBopenshift\-admin\-policy\-scc\-subject\-review(1)\fP, \fBopenshift\-admin\-policy\-who\-can(1)\fP, .SH HISTORY diff --git a/docs/man/man1/openshift-cli-adm-policy-scc-review.1 b/docs/man/man1/openshift-cli-adm-policy-scc-review.1 new file mode 100644 index 000000000000..2db6d69aa1bd --- /dev/null +++ b/docs/man/man1/openshift-cli-adm-policy-scc-review.1 @@ -0,0 +1,172 @@ +.TH "OPENSHIFT CLI ADM POLICY" "1" " Openshift CLI User Manuals" "Openshift" "June 2016" "" + + +.SH NAME +.PP +openshift cli adm policy scc\-review \- Checks which ServiceAccount can create a Pod + + +.SH SYNOPSIS +.PP +\fBopenshift cli adm policy scc\-review\fP [OPTIONS] + + +.SH DESCRIPTION +.PP +Checks which Service Account can create a Pod. The Pod is inferred from the PodTemplateSpec in the provided resource. If no Service Account is provided the one specified in podTemplateSpec.spec.serviceAccountName is used, unless it is empty, in which case "default" is used. If Service Accounts are provided the podTemplateSpec.spec.serviceAccountName is ignored. + + +.SH OPTIONS +.PP +\fB\-\-allow\-missing\-template\-keys\fP=true + If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. + +.PP +\fB\-f\fP, \fB\-\-filename\fP=[] + Filename, directory, or URL to files Filename, directory, or URL to a file identifying the resource to get from a server. + +.PP +\fB\-\-no\-headers\fP=false + When using the default or custom\-column output format, don't print headers. + +.PP +\fB\-o\fP, \fB\-\-output\fP="" + Output format. One of: json|yaml|wide|name|custom\-columns=...|custom\-columns\-file=...|go\-template=...|go\-template\-file=...|jsonpath=...|jsonpath\-file=... See custom columns [ +\[la]http://kubernetes.io/docs/user-guide/kubectl-overview/#custom-columns\[ra]], golang template [ +\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]] and jsonpath template [ +\[la]http://kubernetes.io/docs/user-guide/jsonpath\[ra]]. + +.PP +\fB\-\-output\-version\fP="" + Output the formatted object with the given group version (for ex: 'extensions/v1beta1'). + +.PP +\fB\-R\fP, \fB\-\-recursive\fP=false + Process the directory used in \-f, \-\-filename recursively. Useful when you want to manage related manifests organized within the same directory. + +.PP +\fB\-z\fP, \fB\-\-serviceaccount\fP=[] + service account in the current namespace to use as a user + +.PP +\fB\-a\fP, \fB\-\-show\-all\fP=true + When printing, show all resources (false means hide terminated pods.) + +.PP +\fB\-\-show\-labels\fP=false + When printing, show all labels as the last column (default hide labels column) + +.PP +\fB\-\-sort\-by\fP="" + If non\-empty, sort list types using this field specification. The field specification is expressed as a JSONPath expression (e.g. '{.metadata.name}'). The field in the API resource specified by this JSONPath expression must be an integer or a string. + +.PP +\fB\-\-template\fP="" + Template string or path to template file to use when \-o=go\-template, \-o=go\-template\-file. The template format is golang templates [ +\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]]. + + +.SH OPTIONS INHERITED FROM PARENT COMMANDS +.PP +\fB\-\-api\-version\fP="" + DEPRECATED: The API version to use when talking to the server + +.PP +\fB\-\-as\fP="" + Username to impersonate for the operation + +.PP +\fB\-\-azure\-container\-registry\-config\fP="" + Path to the file container Azure container registry configuration information. + +.PP +\fB\-\-certificate\-authority\fP="" + Path to a cert. file for the certificate authority + +.PP +\fB\-\-client\-certificate\fP="" + Path to a client certificate file for TLS + +.PP +\fB\-\-client\-key\fP="" + Path to a client key file for TLS + +.PP +\fB\-\-cluster\fP="" + The name of the kubeconfig cluster to use + +.PP +\fB\-\-config\fP="" + Path to the config file to use for CLI requests. + +.PP +\fB\-\-context\fP="" + The name of the kubeconfig context to use + +.PP +\fB\-\-google\-json\-key\fP="" + The Google Cloud Platform Service Account JSON Key to use for authentication. + +.PP +\fB\-\-insecure\-skip\-tls\-verify\fP=false + If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + +.PP +\fB\-\-log\-flush\-frequency\fP=0 + Maximum number of seconds between log flushes + +.PP +\fB\-\-match\-server\-version\fP=false + Require server version to match client version + +.PP +\fB\-n\fP, \fB\-\-namespace\fP="" + If present, the namespace scope for this CLI request + +.PP +\fB\-\-request\-timeout\fP="0" + The length of time to wait before giving up on a single server request. Non\-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. + +.PP +\fB\-\-server\fP="" + The address and port of the Kubernetes API server + +.PP +\fB\-\-token\fP="" + Bearer token for authentication to the API server + +.PP +\fB\-\-user\fP="" + The name of the kubeconfig user to use + + +.SH EXAMPLE +.PP +.RS + +.nf + # Check whether Service Accounts sa1 and sa2 can admit a Pod with TemplatePodSpec specified in my\_resource.yaml + # Service Account specified in myresource.yaml file is ignored + $ openshift cli adm policy scc\-review \-z sa1,sa2 \-f my\_resource.yaml + + # Check whether Service Accounts system:serviceaccount:bob:default can admit a Pod with TemplatePodSpec specified in my\_resource.yaml + $ openshift cli adm policy scc\-review \-z system:serviceaccount:bob:default \-f my\_resource.yaml + + # Check whether Service Account specified in my\_resource\_with\_sa.yaml can admit the Pod + $ openshift cli adm policy scc\-review \-f my\_resource\_with\_sa.yaml + + # Check whether default Service Account can admit the Pod, default is taken since no Service Account is defined in myresource\_with\_no\_sa.yaml + $ openshift cli adm policy scc\-review \-f myresource\_with\_no\_sa.yaml + +.fi +.RE + + +.SH SEE ALSO +.PP +\fBopenshift\-cli\-adm\-policy(1)\fP, + + +.SH HISTORY +.PP +June 2016, Ported from the Kubernetes man\-doc generator diff --git a/docs/man/man1/openshift-cli-adm-policy-scc-subject-review.1 b/docs/man/man1/openshift-cli-adm-policy-scc-subject-review.1 new file mode 100644 index 000000000000..37e60cb418a8 --- /dev/null +++ b/docs/man/man1/openshift-cli-adm-policy-scc-subject-review.1 @@ -0,0 +1,172 @@ +.TH "OPENSHIFT CLI ADM POLICY" "1" " Openshift CLI User Manuals" "Openshift" "June 2016" "" + + +.SH NAME +.PP +openshift cli adm policy scc\-subject\-review \- Check whether a user or a ServiceAccount can create a Pod. + + +.SH SYNOPSIS +.PP +\fBopenshift cli adm policy scc\-subject\-review\fP [OPTIONS] + + +.SH DESCRIPTION +.PP +Check whether a User, Service Account or a Group can create a Pod. It returns a list of Security Context Constraints that will admit the resource. If User is specified but not Groups, it is interpreted as "What if User is not a member of any groups". If User and Groups are empty, then the check is performed using the current user + + +.SH OPTIONS +.PP +\fB\-\-allow\-missing\-template\-keys\fP=true + If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. + +.PP +\fB\-f\fP, \fB\-\-filename\fP=[] + Filename, directory, or URL to files Filename, directory, or URL to a file identifying the resource to get from a server. + +.PP +\fB\-g\fP, \fB\-\-groups\fP=[] + Comma separated, list of groups. Review will be performed on behalf of these groups + +.PP +\fB\-\-no\-headers\fP=false + When using the default or custom\-column output format, don't print headers. + +.PP +\fB\-o\fP, \fB\-\-output\fP="" + Output format. One of: json|yaml|wide|name|custom\-columns=...|custom\-columns\-file=...|go\-template=...|go\-template\-file=...|jsonpath=...|jsonpath\-file=... See custom columns [ +\[la]http://kubernetes.io/docs/user-guide/kubectl-overview/#custom-columns\[ra]], golang template [ +\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]] and jsonpath template [ +\[la]http://kubernetes.io/docs/user-guide/jsonpath\[ra]]. + +.PP +\fB\-\-output\-version\fP="" + Output the formatted object with the given group version (for ex: 'extensions/v1beta1'). + +.PP +\fB\-R\fP, \fB\-\-recursive\fP=false + Process the directory used in \-f, \-\-filename recursively. Useful when you want to manage related manifests organized within the same directory. + +.PP +\fB\-z\fP, \fB\-\-serviceaccount\fP="" + service account in the current namespace to use as a user + +.PP +\fB\-a\fP, \fB\-\-show\-all\fP=true + When printing, show all resources (false means hide terminated pods.) + +.PP +\fB\-\-show\-labels\fP=false + When printing, show all labels as the last column (default hide labels column) + +.PP +\fB\-\-sort\-by\fP="" + If non\-empty, sort list types using this field specification. The field specification is expressed as a JSONPath expression (e.g. '{.metadata.name}'). The field in the API resource specified by this JSONPath expression must be an integer or a string. + +.PP +\fB\-\-template\fP="" + Template string or path to template file to use when \-o=go\-template, \-o=go\-template\-file. The template format is golang templates [ +\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]]. + +.PP +\fB\-u\fP, \fB\-\-user\fP="" + Review will be performed on behalf of this user + + +.SH OPTIONS INHERITED FROM PARENT COMMANDS +.PP +\fB\-\-api\-version\fP="" + DEPRECATED: The API version to use when talking to the server + +.PP +\fB\-\-as\fP="" + Username to impersonate for the operation + +.PP +\fB\-\-azure\-container\-registry\-config\fP="" + Path to the file container Azure container registry configuration information. + +.PP +\fB\-\-certificate\-authority\fP="" + Path to a cert. file for the certificate authority + +.PP +\fB\-\-client\-certificate\fP="" + Path to a client certificate file for TLS + +.PP +\fB\-\-client\-key\fP="" + Path to a client key file for TLS + +.PP +\fB\-\-cluster\fP="" + The name of the kubeconfig cluster to use + +.PP +\fB\-\-config\fP="" + Path to the config file to use for CLI requests. + +.PP +\fB\-\-context\fP="" + The name of the kubeconfig context to use + +.PP +\fB\-\-google\-json\-key\fP="" + The Google Cloud Platform Service Account JSON Key to use for authentication. + +.PP +\fB\-\-insecure\-skip\-tls\-verify\fP=false + If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + +.PP +\fB\-\-log\-flush\-frequency\fP=0 + Maximum number of seconds between log flushes + +.PP +\fB\-\-match\-server\-version\fP=false + Require server version to match client version + +.PP +\fB\-n\fP, \fB\-\-namespace\fP="" + If present, the namespace scope for this CLI request + +.PP +\fB\-\-request\-timeout\fP="0" + The length of time to wait before giving up on a single server request. Non\-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. + +.PP +\fB\-\-server\fP="" + The address and port of the Kubernetes API server + +.PP +\fB\-\-token\fP="" + Bearer token for authentication to the API server + + +.SH EXAMPLE +.PP +.RS + +.nf + # Check whether user bob can create a pod specified in myresource.yaml + $ openshift cli adm policy scc\-subject\-review \-u bob \-f myresource.yaml + + # Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml + $ openshift cli adm policy scc\-subject\-review \-u bob \-g projectAdmin \-f myresource.yaml + + # Check whether ServiceAccount specified in podTemplateSpec in myresourcewithsa.yaml can create the Pod + $ openshift cli adm policy scc\-subject\-review \-f myresourcewithsa.yaml + +.fi +.RE + + +.SH SEE ALSO +.PP +\fBopenshift\-cli\-adm\-policy(1)\fP, + + +.SH HISTORY +.PP +June 2016, Ported from the Kubernetes man\-doc generator diff --git a/docs/man/man1/openshift-cli-adm-policy.1 b/docs/man/man1/openshift-cli-adm-policy.1 index c6375f62fd87..3406b15543fd 100644 --- a/docs/man/man1/openshift-cli-adm-policy.1 +++ b/docs/man/man1/openshift-cli-adm-policy.1 @@ -98,7 +98,7 @@ To see more information on roles and policies, use the 'get' and 'describe' comm .SH SEE ALSO .PP -\fBopenshift\-cli\-adm(1)\fP, \fBopenshift\-cli\-adm\-policy\-add\-cluster\-role\-to\-group(1)\fP, \fBopenshift\-cli\-adm\-policy\-add\-cluster\-role\-to\-user(1)\fP, \fBopenshift\-cli\-adm\-policy\-add\-role\-to\-group(1)\fP, \fBopenshift\-cli\-adm\-policy\-add\-role\-to\-user(1)\fP, \fBopenshift\-cli\-adm\-policy\-add\-scc\-to\-group(1)\fP, \fBopenshift\-cli\-adm\-policy\-add\-scc\-to\-user(1)\fP, \fBopenshift\-cli\-adm\-policy\-reconcile\-cluster\-role\-bindings(1)\fP, \fBopenshift\-cli\-adm\-policy\-reconcile\-cluster\-roles(1)\fP, \fBopenshift\-cli\-adm\-policy\-reconcile\-sccs(1)\fP, \fBopenshift\-cli\-adm\-policy\-remove\-cluster\-role\-from\-group(1)\fP, \fBopenshift\-cli\-adm\-policy\-remove\-cluster\-role\-from\-user(1)\fP, \fBopenshift\-cli\-adm\-policy\-remove\-group(1)\fP, \fBopenshift\-cli\-adm\-policy\-remove\-role\-from\-group(1)\fP, \fBopenshift\-cli\-adm\-policy\-remove\-role\-from\-user(1)\fP, \fBopenshift\-cli\-adm\-policy\-remove\-scc\-from\-group(1)\fP, \fBopenshift\-cli\-adm\-policy\-remove\-scc\-from\-user(1)\fP, \fBopenshift\-cli\-adm\-policy\-remove\-user(1)\fP, \fBopenshift\-cli\-adm\-policy\-who\-can(1)\fP, +\fBopenshift\-cli\-adm(1)\fP, \fBopenshift\-cli\-adm\-policy\-add\-cluster\-role\-to\-group(1)\fP, \fBopenshift\-cli\-adm\-policy\-add\-cluster\-role\-to\-user(1)\fP, \fBopenshift\-cli\-adm\-policy\-add\-role\-to\-group(1)\fP, \fBopenshift\-cli\-adm\-policy\-add\-role\-to\-user(1)\fP, \fBopenshift\-cli\-adm\-policy\-add\-scc\-to\-group(1)\fP, \fBopenshift\-cli\-adm\-policy\-add\-scc\-to\-user(1)\fP, \fBopenshift\-cli\-adm\-policy\-reconcile\-cluster\-role\-bindings(1)\fP, \fBopenshift\-cli\-adm\-policy\-reconcile\-cluster\-roles(1)\fP, \fBopenshift\-cli\-adm\-policy\-reconcile\-sccs(1)\fP, \fBopenshift\-cli\-adm\-policy\-remove\-cluster\-role\-from\-group(1)\fP, \fBopenshift\-cli\-adm\-policy\-remove\-cluster\-role\-from\-user(1)\fP, \fBopenshift\-cli\-adm\-policy\-remove\-group(1)\fP, \fBopenshift\-cli\-adm\-policy\-remove\-role\-from\-group(1)\fP, \fBopenshift\-cli\-adm\-policy\-remove\-role\-from\-user(1)\fP, \fBopenshift\-cli\-adm\-policy\-remove\-scc\-from\-group(1)\fP, \fBopenshift\-cli\-adm\-policy\-remove\-scc\-from\-user(1)\fP, \fBopenshift\-cli\-adm\-policy\-remove\-user(1)\fP, \fBopenshift\-cli\-adm\-policy\-scc\-review(1)\fP, \fBopenshift\-cli\-adm\-policy\-scc\-subject\-review(1)\fP, \fBopenshift\-cli\-adm\-policy\-who\-can(1)\fP, .SH HISTORY diff --git a/docs/man/man1/openshift-cli-policy-scc-review.1 b/docs/man/man1/openshift-cli-policy-scc-review.1 new file mode 100644 index 000000000000..314a33d3a12a --- /dev/null +++ b/docs/man/man1/openshift-cli-policy-scc-review.1 @@ -0,0 +1,172 @@ +.TH "OPENSHIFT CLI POLICY" "1" " Openshift CLI User Manuals" "Openshift" "June 2016" "" + + +.SH NAME +.PP +openshift cli policy scc\-review \- Checks which ServiceAccount can create a Pod + + +.SH SYNOPSIS +.PP +\fBopenshift cli policy scc\-review\fP [OPTIONS] + + +.SH DESCRIPTION +.PP +Checks which Service Account can create a Pod. The Pod is inferred from the PodTemplateSpec in the provided resource. If no Service Account is provided the one specified in podTemplateSpec.spec.serviceAccountName is used, unless it is empty, in which case "default" is used. If Service Accounts are provided the podTemplateSpec.spec.serviceAccountName is ignored. + + +.SH OPTIONS +.PP +\fB\-\-allow\-missing\-template\-keys\fP=true + If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. + +.PP +\fB\-f\fP, \fB\-\-filename\fP=[] + Filename, directory, or URL to files Filename, directory, or URL to a file identifying the resource to get from a server. + +.PP +\fB\-\-no\-headers\fP=false + When using the default or custom\-column output format, don't print headers. + +.PP +\fB\-o\fP, \fB\-\-output\fP="" + Output format. One of: json|yaml|wide|name|custom\-columns=...|custom\-columns\-file=...|go\-template=...|go\-template\-file=...|jsonpath=...|jsonpath\-file=... See custom columns [ +\[la]http://kubernetes.io/docs/user-guide/kubectl-overview/#custom-columns\[ra]], golang template [ +\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]] and jsonpath template [ +\[la]http://kubernetes.io/docs/user-guide/jsonpath\[ra]]. + +.PP +\fB\-\-output\-version\fP="" + Output the formatted object with the given group version (for ex: 'extensions/v1beta1'). + +.PP +\fB\-R\fP, \fB\-\-recursive\fP=false + Process the directory used in \-f, \-\-filename recursively. Useful when you want to manage related manifests organized within the same directory. + +.PP +\fB\-z\fP, \fB\-\-serviceaccount\fP=[] + service account in the current namespace to use as a user + +.PP +\fB\-a\fP, \fB\-\-show\-all\fP=true + When printing, show all resources (false means hide terminated pods.) + +.PP +\fB\-\-show\-labels\fP=false + When printing, show all labels as the last column (default hide labels column) + +.PP +\fB\-\-sort\-by\fP="" + If non\-empty, sort list types using this field specification. The field specification is expressed as a JSONPath expression (e.g. '{.metadata.name}'). The field in the API resource specified by this JSONPath expression must be an integer or a string. + +.PP +\fB\-\-template\fP="" + Template string or path to template file to use when \-o=go\-template, \-o=go\-template\-file. The template format is golang templates [ +\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]]. + + +.SH OPTIONS INHERITED FROM PARENT COMMANDS +.PP +\fB\-\-api\-version\fP="" + DEPRECATED: The API version to use when talking to the server + +.PP +\fB\-\-as\fP="" + Username to impersonate for the operation + +.PP +\fB\-\-azure\-container\-registry\-config\fP="" + Path to the file container Azure container registry configuration information. + +.PP +\fB\-\-certificate\-authority\fP="" + Path to a cert. file for the certificate authority + +.PP +\fB\-\-client\-certificate\fP="" + Path to a client certificate file for TLS + +.PP +\fB\-\-client\-key\fP="" + Path to a client key file for TLS + +.PP +\fB\-\-cluster\fP="" + The name of the kubeconfig cluster to use + +.PP +\fB\-\-config\fP="" + Path to the config file to use for CLI requests. + +.PP +\fB\-\-context\fP="" + The name of the kubeconfig context to use + +.PP +\fB\-\-google\-json\-key\fP="" + The Google Cloud Platform Service Account JSON Key to use for authentication. + +.PP +\fB\-\-insecure\-skip\-tls\-verify\fP=false + If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + +.PP +\fB\-\-log\-flush\-frequency\fP=0 + Maximum number of seconds between log flushes + +.PP +\fB\-\-match\-server\-version\fP=false + Require server version to match client version + +.PP +\fB\-n\fP, \fB\-\-namespace\fP="" + If present, the namespace scope for this CLI request + +.PP +\fB\-\-request\-timeout\fP="0" + The length of time to wait before giving up on a single server request. Non\-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. + +.PP +\fB\-\-server\fP="" + The address and port of the Kubernetes API server + +.PP +\fB\-\-token\fP="" + Bearer token for authentication to the API server + +.PP +\fB\-\-user\fP="" + The name of the kubeconfig user to use + + +.SH EXAMPLE +.PP +.RS + +.nf + # Check whether Service Accounts sa1 and sa2 can admit a Pod with TemplatePodSpec specified in my\_resource.yaml + # Service Account specified in myresource.yaml file is ignored + $ openshift cli policy scc\-review \-z sa1,sa2 \-f my\_resource.yaml + + # Check whether Service Accounts system:serviceaccount:bob:default can admit a Pod with TemplatePodSpec specified in my\_resource.yaml + $ openshift cli policy scc\-review \-z system:serviceaccount:bob:default \-f my\_resource.yaml + + # Check whether Service Account specified in my\_resource\_with\_sa.yaml can admit the Pod + $ openshift cli policy scc\-review \-f my\_resource\_with\_sa.yaml + + # Check whether default Service Account can admit the Pod, default is taken since no Service Account is defined in myresource\_with\_no\_sa.yaml + $ openshift cli policy scc\-review \-f myresource\_with\_no\_sa.yaml + +.fi +.RE + + +.SH SEE ALSO +.PP +\fBopenshift\-cli\-policy(1)\fP, + + +.SH HISTORY +.PP +June 2016, Ported from the Kubernetes man\-doc generator diff --git a/docs/man/man1/openshift-cli-policy-scc-subject-review.1 b/docs/man/man1/openshift-cli-policy-scc-subject-review.1 new file mode 100644 index 000000000000..87c8ccc8543c --- /dev/null +++ b/docs/man/man1/openshift-cli-policy-scc-subject-review.1 @@ -0,0 +1,172 @@ +.TH "OPENSHIFT CLI POLICY" "1" " Openshift CLI User Manuals" "Openshift" "June 2016" "" + + +.SH NAME +.PP +openshift cli policy scc\-subject\-review \- Check whether a user or a ServiceAccount can create a Pod. + + +.SH SYNOPSIS +.PP +\fBopenshift cli policy scc\-subject\-review\fP [OPTIONS] + + +.SH DESCRIPTION +.PP +Check whether a User, Service Account or a Group can create a Pod. It returns a list of Security Context Constraints that will admit the resource. If User is specified but not Groups, it is interpreted as "What if User is not a member of any groups". If User and Groups are empty, then the check is performed using the current user + + +.SH OPTIONS +.PP +\fB\-\-allow\-missing\-template\-keys\fP=true + If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. + +.PP +\fB\-f\fP, \fB\-\-filename\fP=[] + Filename, directory, or URL to files Filename, directory, or URL to a file identifying the resource to get from a server. + +.PP +\fB\-g\fP, \fB\-\-groups\fP=[] + Comma separated, list of groups. Review will be performed on behalf of these groups + +.PP +\fB\-\-no\-headers\fP=false + When using the default or custom\-column output format, don't print headers. + +.PP +\fB\-o\fP, \fB\-\-output\fP="" + Output format. One of: json|yaml|wide|name|custom\-columns=...|custom\-columns\-file=...|go\-template=...|go\-template\-file=...|jsonpath=...|jsonpath\-file=... See custom columns [ +\[la]http://kubernetes.io/docs/user-guide/kubectl-overview/#custom-columns\[ra]], golang template [ +\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]] and jsonpath template [ +\[la]http://kubernetes.io/docs/user-guide/jsonpath\[ra]]. + +.PP +\fB\-\-output\-version\fP="" + Output the formatted object with the given group version (for ex: 'extensions/v1beta1'). + +.PP +\fB\-R\fP, \fB\-\-recursive\fP=false + Process the directory used in \-f, \-\-filename recursively. Useful when you want to manage related manifests organized within the same directory. + +.PP +\fB\-z\fP, \fB\-\-serviceaccount\fP="" + service account in the current namespace to use as a user + +.PP +\fB\-a\fP, \fB\-\-show\-all\fP=true + When printing, show all resources (false means hide terminated pods.) + +.PP +\fB\-\-show\-labels\fP=false + When printing, show all labels as the last column (default hide labels column) + +.PP +\fB\-\-sort\-by\fP="" + If non\-empty, sort list types using this field specification. The field specification is expressed as a JSONPath expression (e.g. '{.metadata.name}'). The field in the API resource specified by this JSONPath expression must be an integer or a string. + +.PP +\fB\-\-template\fP="" + Template string or path to template file to use when \-o=go\-template, \-o=go\-template\-file. The template format is golang templates [ +\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]]. + +.PP +\fB\-u\fP, \fB\-\-user\fP="" + Review will be performed on behalf of this user + + +.SH OPTIONS INHERITED FROM PARENT COMMANDS +.PP +\fB\-\-api\-version\fP="" + DEPRECATED: The API version to use when talking to the server + +.PP +\fB\-\-as\fP="" + Username to impersonate for the operation + +.PP +\fB\-\-azure\-container\-registry\-config\fP="" + Path to the file container Azure container registry configuration information. + +.PP +\fB\-\-certificate\-authority\fP="" + Path to a cert. file for the certificate authority + +.PP +\fB\-\-client\-certificate\fP="" + Path to a client certificate file for TLS + +.PP +\fB\-\-client\-key\fP="" + Path to a client key file for TLS + +.PP +\fB\-\-cluster\fP="" + The name of the kubeconfig cluster to use + +.PP +\fB\-\-config\fP="" + Path to the config file to use for CLI requests. + +.PP +\fB\-\-context\fP="" + The name of the kubeconfig context to use + +.PP +\fB\-\-google\-json\-key\fP="" + The Google Cloud Platform Service Account JSON Key to use for authentication. + +.PP +\fB\-\-insecure\-skip\-tls\-verify\fP=false + If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + +.PP +\fB\-\-log\-flush\-frequency\fP=0 + Maximum number of seconds between log flushes + +.PP +\fB\-\-match\-server\-version\fP=false + Require server version to match client version + +.PP +\fB\-n\fP, \fB\-\-namespace\fP="" + If present, the namespace scope for this CLI request + +.PP +\fB\-\-request\-timeout\fP="0" + The length of time to wait before giving up on a single server request. Non\-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. + +.PP +\fB\-\-server\fP="" + The address and port of the Kubernetes API server + +.PP +\fB\-\-token\fP="" + Bearer token for authentication to the API server + + +.SH EXAMPLE +.PP +.RS + +.nf + # Check whether user bob can create a pod specified in myresource.yaml + $ openshift cli policy scc\-subject\-review \-u bob \-f myresource.yaml + + # Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml + $ openshift cli policy scc\-subject\-review \-u bob \-g projectAdmin \-f myresource.yaml + + # Check whether ServiceAccount specified in podTemplateSpec in myresourcewithsa.yaml can create the Pod + $ openshift cli policy scc\-subject\-review \-f myresourcewithsa.yaml + +.fi +.RE + + +.SH SEE ALSO +.PP +\fBopenshift\-cli\-policy(1)\fP, + + +.SH HISTORY +.PP +June 2016, Ported from the Kubernetes man\-doc generator diff --git a/docs/man/man1/openshift-cli-policy.1 b/docs/man/man1/openshift-cli-policy.1 index 5d67807dad95..d2991eb8c5ef 100644 --- a/docs/man/man1/openshift-cli-policy.1 +++ b/docs/man/man1/openshift-cli-policy.1 @@ -92,7 +92,7 @@ Manage authorization policy .SH SEE ALSO .PP -\fBopenshift\-cli(1)\fP, \fBopenshift\-cli\-policy\-add\-role\-to\-group(1)\fP, \fBopenshift\-cli\-policy\-add\-role\-to\-user(1)\fP, \fBopenshift\-cli\-policy\-can\-i(1)\fP, \fBopenshift\-cli\-policy\-remove\-group(1)\fP, \fBopenshift\-cli\-policy\-remove\-role\-from\-group(1)\fP, \fBopenshift\-cli\-policy\-remove\-role\-from\-user(1)\fP, \fBopenshift\-cli\-policy\-remove\-user(1)\fP, \fBopenshift\-cli\-policy\-who\-can(1)\fP, +\fBopenshift\-cli(1)\fP, \fBopenshift\-cli\-policy\-add\-role\-to\-group(1)\fP, \fBopenshift\-cli\-policy\-add\-role\-to\-user(1)\fP, \fBopenshift\-cli\-policy\-can\-i(1)\fP, \fBopenshift\-cli\-policy\-remove\-group(1)\fP, \fBopenshift\-cli\-policy\-remove\-role\-from\-group(1)\fP, \fBopenshift\-cli\-policy\-remove\-role\-from\-user(1)\fP, \fBopenshift\-cli\-policy\-remove\-user(1)\fP, \fBopenshift\-cli\-policy\-scc\-review(1)\fP, \fBopenshift\-cli\-policy\-scc\-subject\-review(1)\fP, \fBopenshift\-cli\-policy\-who\-can(1)\fP, .SH HISTORY diff --git a/pkg/client/client.go b/pkg/client/client.go index 9c10f174245d..8a699a896ac7 100644 --- a/pkg/client/client.go +++ b/pkg/client/client.go @@ -295,6 +295,18 @@ func (c *Client) RoleBindingRestrictions(namespace string) RoleBindingRestrictio return newRoleBindingRestrictions(c, namespace) } +func (c *Client) PodSecurityPolicyReviews(namespace string) PodSecurityPolicyReviewInterface { + return newPodSecurityPolicyReviews(c, namespace) +} + +func (c *Client) PodSecurityPolicySelfSubjectReviews(namespace string) PodSecurityPolicySelfSubjectReviewInterface { + return newPodSecurityPolicySelfSubjectReviews(c, namespace) +} + +func (c *Client) PodSecurityPolicySubjectReviews(namespace string) PodSecurityPolicySubjectReviewInterface { + return newPodSecurityPolicySubjectReviews(c, namespace) +} + // Client is an OpenShift client object type Client struct { *restclient.RESTClient diff --git a/pkg/client/podsecuritypolicyreview.go b/pkg/client/podsecuritypolicyreview.go new file mode 100644 index 000000000000..db77cabbc91b --- /dev/null +++ b/pkg/client/podsecuritypolicyreview.go @@ -0,0 +1,34 @@ +package client + +import securityapi "github.com/openshift/origin/pkg/security/api" + +// PodSecurityPolicyReviewsNamespacer has methods to work with PodSecurityPolicyReview resources in the cluster scope +type PodSecurityPolicyReviewsNamespacer interface { + PodSecurityPolicyReviews(namespace string) PodSecurityPolicyReviewInterface +} + +// PodSecurityPolicyReviewInterface exposes methods on PodSecurityPolicyReview resources. +type PodSecurityPolicyReviewInterface interface { + Create(policy *securityapi.PodSecurityPolicyReview) (*securityapi.PodSecurityPolicyReview, error) +} + +// podSecurityPolicyReviews implements PodSecurityPolicyReviewsNamespacer interface +type podSecurityPolicyReviews struct { + c *Client + ns string +} + +// newPodSecurityPolicyReviews returns a podSecurityPolicyReviews +func newPodSecurityPolicyReviews(c *Client, namespace string) *podSecurityPolicyReviews { + return &podSecurityPolicyReviews{ + c: c, + ns: namespace, + } +} + +// Create creates a PodSecurityPolicyReview +func (p *podSecurityPolicyReviews) Create(pspr *securityapi.PodSecurityPolicyReview) (result *securityapi.PodSecurityPolicyReview, err error) { + result = &securityapi.PodSecurityPolicyReview{} + err = p.c.Post().Namespace(p.ns).Resource("podSecurityPolicyReviews").Body(pspr).Do().Into(result) + return +} diff --git a/pkg/client/podsecuritypolicysubjectreview.go b/pkg/client/podsecuritypolicysubjectreview.go new file mode 100644 index 000000000000..374c72c941c8 --- /dev/null +++ b/pkg/client/podsecuritypolicysubjectreview.go @@ -0,0 +1,61 @@ +package client + +import securityapi "github.com/openshift/origin/pkg/security/api" + +// PodSecurityPolicySubjectReviewsNamespacer has methods to work with PodSecurityPolicySubjectReview resources in the cluster scope +type PodSecurityPolicySubjectReviewsNamespacer interface { + PodSecurityPolicySubjectReviews(namespace string) PodSecurityPolicySubjectReviewInterface +} + +// PodSecurityPolicySubjectReviewInterface exposes methods on PodSecurityPolicySubjectReview resources. +type PodSecurityPolicySubjectReviewInterface interface { + Create(policy *securityapi.PodSecurityPolicySubjectReview) (*securityapi.PodSecurityPolicySubjectReview, error) +} + +// PodSecurityPolicySubjectReviews implements PodSecurityPolicySubjectReviews interface +type podSecurityPolicySubjectReviews struct { + c *Client + ns string +} + +// newPodSecurityPolicySubjectReviews returns a PodSecurityPolicySubjectReviews +func newPodSecurityPolicySubjectReviews(c *Client, namespace string) *podSecurityPolicySubjectReviews { + return &podSecurityPolicySubjectReviews{ + c: c, + ns: namespace, + } +} + +func (p *podSecurityPolicySubjectReviews) Create(pspsr *securityapi.PodSecurityPolicySubjectReview) (result *securityapi.PodSecurityPolicySubjectReview, err error) { + result = &securityapi.PodSecurityPolicySubjectReview{} + err = p.c.Post().Namespace(p.ns).Resource("podSecurityPolicySubjectReviews").Body(pspsr).Do().Into(result) + return +} + +// PodSecurityPolicySelfSubjectReviewsNamespacer has methods to work with PodSecurityPolicySelfSubjectReview resources in the cluster scope +type PodSecurityPolicySelfSubjectReviewsNamespacer interface { + PodSecurityPolicySelfSubjectReviews(namespace string) PodSecurityPolicySelfSubjectReviewInterface +} + +// PodSecurityPolicySelfSubjectReviewInterface exposes methods on PodSecurityPolicySelfSubjectReview resources. +type PodSecurityPolicySelfSubjectReviewInterface interface { + Create(policy *securityapi.PodSecurityPolicySelfSubjectReview) (*securityapi.PodSecurityPolicySelfSubjectReview, error) +} + +type podSecurityPolicySelfSubjectReviews struct { + c *Client + ns string +} + +func newPodSecurityPolicySelfSubjectReviews(c *Client, namespace string) *podSecurityPolicySelfSubjectReviews { + return &podSecurityPolicySelfSubjectReviews{ + c: c, + ns: namespace, + } +} + +func (p *podSecurityPolicySelfSubjectReviews) Create(pspssr *securityapi.PodSecurityPolicySelfSubjectReview) (result *securityapi.PodSecurityPolicySelfSubjectReview, err error) { + result = &securityapi.PodSecurityPolicySelfSubjectReview{} + err = p.c.Post().Namespace(p.ns).Resource("podSecurityPolicySelfSubjectReviews").Body(pspssr).Do().Into(result) + return +} diff --git a/pkg/client/testclient/fake_podsecuritypolicyreview.go b/pkg/client/testclient/fake_podsecuritypolicyreview.go new file mode 100644 index 000000000000..318902bcad4c --- /dev/null +++ b/pkg/client/testclient/fake_podsecuritypolicyreview.go @@ -0,0 +1,25 @@ +package testclient + +import ( + securityapi "github.com/openshift/origin/pkg/security/api" + "k8s.io/kubernetes/pkg/api/unversioned" + "k8s.io/kubernetes/pkg/client/testing/core" +) + +// FakePodSecurityPolicyReviews implements the PodSecurityPolicyReviews interface. +// Meant to be embedded into a struct to get a default implementation. +// This makes faking out just the methods you want to test easier. +type FakePodSecurityPolicyReviews struct { + Fake *Fake + Namespace string +} + +var podSecurityPolicyReviewsResource = unversioned.GroupVersionResource{Group: "", Version: "", Resource: "podsecuritypolicyreviews"} + +func (c *FakePodSecurityPolicyReviews) Create(inObj *securityapi.PodSecurityPolicyReview) (*securityapi.PodSecurityPolicyReview, error) { + obj, err := c.Fake.Invokes(core.NewCreateAction(podSecurityPolicyReviewsResource, c.Namespace, inObj), &securityapi.PodSecurityPolicyReview{}) + if cast, ok := obj.(*securityapi.PodSecurityPolicyReview); ok { + return cast, err + } + return nil, err +} diff --git a/pkg/client/testclient/fake_podsecuritypolicysubjectreview.go b/pkg/client/testclient/fake_podsecuritypolicysubjectreview.go new file mode 100644 index 000000000000..07072905cc41 --- /dev/null +++ b/pkg/client/testclient/fake_podsecuritypolicysubjectreview.go @@ -0,0 +1,43 @@ +package testclient + +import ( + securityapi "github.com/openshift/origin/pkg/security/api" + "k8s.io/kubernetes/pkg/api/unversioned" + "k8s.io/kubernetes/pkg/client/testing/core" +) + +// FakePodSecurityPolicySubjectReviews implements the PodSecurityPolicySubjectReviews interface. +// Meant to be embedded into a struct to get a default implementation. +// This makes faking out just the methods you want to test easier. +type FakePodSecurityPolicySubjectReviews struct { + Fake *Fake + Namespace string +} + +var podSecurityPolicySubjectReviewsResource = unversioned.GroupVersionResource{Group: "", Version: "", Resource: "podsecuritypolicysubjectreviews"} + +func (c *FakePodSecurityPolicySubjectReviews) Create(inObj *securityapi.PodSecurityPolicySubjectReview) (*securityapi.PodSecurityPolicySubjectReview, error) { + obj, err := c.Fake.Invokes(core.NewCreateAction(podSecurityPolicySubjectReviewsResource, c.Namespace, inObj), &securityapi.PodSecurityPolicySubjectReview{}) + if cast, ok := obj.(*securityapi.PodSecurityPolicySubjectReview); ok { + return cast, err + } + return nil, err +} + +// FakePodSecurityPolicySelfSubjectReviews implements the PodSecurityPolicySelfSubjectReviews interface. +// Meant to be embedded into a struct to get a default implementation. +// This makes faking out just the methods you want to test easier. +type FakePodSecurityPolicySelfSubjectReviews struct { + Fake *Fake + Namespace string +} + +var podSecurityPolicySelfSubjectReviewsResource = unversioned.GroupVersionResource{Group: "", Version: "", Resource: "podsecuritypolicyselfsubjectreviews"} + +func (c *FakePodSecurityPolicySelfSubjectReviews) Create(inObj *securityapi.PodSecurityPolicySelfSubjectReview) (*securityapi.PodSecurityPolicySelfSubjectReview, error) { + obj, err := c.Fake.Invokes(core.NewCreateAction(podSecurityPolicySelfSubjectReviewsResource, c.Namespace, inObj), &securityapi.PodSecurityPolicySelfSubjectReview{}) + if cast, ok := obj.(*securityapi.PodSecurityPolicySelfSubjectReview); ok { + return cast, err + } + return nil, err +} diff --git a/pkg/cmd/admin/policy/policy.go b/pkg/cmd/admin/policy/policy.go index 3a7c861edb83..ebcebdda67c4 100644 --- a/pkg/cmd/admin/policy/policy.go +++ b/pkg/cmd/admin/policy/policy.go @@ -45,6 +45,8 @@ func NewCmdPolicy(name, fullName string, f *clientcmd.Factory, out, errout io.Wr Message: "Discover:", Commands: []*cobra.Command{ NewCmdWhoCan(WhoCanRecommendedName, fullName+" "+WhoCanRecommendedName, f, out), + NewCmdSccSubjectReview(SubjectReviewRecommendedName, fullName+" "+SubjectReviewRecommendedName, f, out), + NewCmdSccReview(ReviewRecommendedName, fullName+" "+ReviewRecommendedName, f, out), }, }, { diff --git a/pkg/cmd/admin/policy/review.go b/pkg/cmd/admin/policy/review.go new file mode 100644 index 000000000000..d093a5e7ab07 --- /dev/null +++ b/pkg/cmd/admin/policy/review.go @@ -0,0 +1,260 @@ +package policy + +import ( + "fmt" + "io" + "strings" + "text/tabwriter" + + "github.com/spf13/cobra" + + kapi "k8s.io/kubernetes/pkg/api" + "k8s.io/kubernetes/pkg/api/meta" + "k8s.io/kubernetes/pkg/apis/apps" + "k8s.io/kubernetes/pkg/kubectl" + kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util" + "k8s.io/kubernetes/pkg/kubectl/resource" + "k8s.io/kubernetes/pkg/runtime" + "k8s.io/kubernetes/pkg/serviceaccount" + utilerrors "k8s.io/kubernetes/pkg/util/errors" + + ometa "github.com/openshift/origin/pkg/api/meta" + "github.com/openshift/origin/pkg/client" + "github.com/openshift/origin/pkg/cmd/templates" + "github.com/openshift/origin/pkg/cmd/util/clientcmd" + securityapi "github.com/openshift/origin/pkg/security/api" +) + +var ( + reviewLong = templates.LongDesc(`Checks which Service Account can create a Pod. + The Pod is inferred from the PodTemplateSpec in the provided resource. + If no Service Account is provided the one specified in podTemplateSpec.spec.serviceAccountName is used, + unless it is empty, in which case "default" is used. + If Service Accounts are provided the podTemplateSpec.spec.serviceAccountName is ignored. + `) + reviewExamples = templates.Examples(`# Check whether Service Accounts sa1 and sa2 can admit a Pod with TemplatePodSpec specified in my_resource.yaml + # Service Account specified in myresource.yaml file is ignored + $ %[1]s -z sa1,sa2 -f my_resource.yaml + + # Check whether Service Accounts system:serviceaccount:bob:default can admit a Pod with TemplatePodSpec specified in my_resource.yaml + $ %[1]s -z system:serviceaccount:bob:default -f my_resource.yaml + + # Check whether Service Account specified in my_resource_with_sa.yaml can admit the Pod + $ %[1]s -f my_resource_with_sa.yaml + + # Check whether default Service Account can admit the Pod, default is taken since no Service Account is defined in myresource_with_no_sa.yaml + $ %[1]s -f myresource_with_no_sa.yaml + `) +) + +const ReviewRecommendedName = "scc-review" + +type sccReviewOptions struct { + client client.PodSecurityPolicyReviewsNamespacer + namespace string + enforceNamespace bool + out io.Writer + mapper meta.RESTMapper + typer runtime.ObjectTyper + RESTClientFactory func(mapping *meta.RESTMapping) (resource.RESTClient, error) + printer sccReviewPrinter + FilenameOptions resource.FilenameOptions + serviceAccountNames []string // it contains user inputs it could be long sa name like system:serviceaccount:bob:default or short one + shortServiceAccountNames []string // it contains only short sa name for example 'bob' +} + +func NewCmdSccReview(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command { + o := &sccReviewOptions{} + cmd := &cobra.Command{ + Use: name, + Short: "Checks which ServiceAccount can create a Pod", + Long: reviewLong, + Example: fmt.Sprintf(reviewExamples, fullName), + Run: func(cmd *cobra.Command, args []string) { + kcmdutil.CheckErr(o.Complete(f, args, cmd, out)) + kcmdutil.CheckErr(o.Run(args)) + }, + } + + cmd.Flags().StringSliceVarP(&o.serviceAccountNames, "serviceaccount", "z", o.serviceAccountNames, "service account in the current namespace to use as a user") + kcmdutil.AddFilenameOptionFlags(cmd, &o.FilenameOptions, "Filename, directory, or URL to a file identifying the resource to get from a server.") + kcmdutil.AddPrinterFlags(cmd) + return cmd +} + +func (o *sccReviewOptions) Complete(f *clientcmd.Factory, args []string, cmd *cobra.Command, out io.Writer) error { + if len(args) == 0 && len(o.FilenameOptions.Filenames) == 0 { + return kcmdutil.UsageError(cmd, cmd.Use) + } + for _, sa := range o.serviceAccountNames { + if strings.HasPrefix(sa, serviceaccount.ServiceAccountUsernamePrefix) { + _, user, err := serviceaccount.SplitUsername(sa) + if err != nil { + return err + } + o.shortServiceAccountNames = append(o.shortServiceAccountNames, user) + } else { + o.shortServiceAccountNames = append(o.shortServiceAccountNames, sa) + } + } + var err error + o.namespace, o.enforceNamespace, err = f.DefaultNamespace() + if err != nil { + return err + } + o.client, _, err = f.Clients() + if err != nil { + return fmt.Errorf("unable to obtain client: %v", err) + } + o.mapper, o.typer = f.Object() + o.RESTClientFactory = f.ClientForMapping + + if len(kcmdutil.GetFlagString(cmd, "output")) != 0 { + clientConfig, err := f.ClientConfig() + if err != nil { + return err + } + version, err := kcmdutil.OutputVersion(cmd, clientConfig.GroupVersion) + if err != nil { + return err + } + p, _, err := kcmdutil.PrinterForCommand(cmd) + if err != nil { + return err + } + o.printer = &sccReviewOutputPrinter{kubectl.NewVersionedPrinter(p, kapi.Scheme, version)} + } else { + o.printer = &sccReviewHumanReadablePrinter{noHeaders: kcmdutil.GetFlagBool(cmd, "no-headers")} + } + o.out = out + return nil +} + +func (o *sccReviewOptions) Run(args []string) error { + r := resource.NewBuilder(o.mapper, o.typer, resource.ClientMapperFunc(o.RESTClientFactory), kapi.Codecs.UniversalDecoder()). + NamespaceParam(o.namespace). + FilenameParam(o.enforceNamespace, &o.FilenameOptions). + ResourceTypeOrNameArgs(true, args...). + ContinueOnError(). + Flatten(). + Do() + err := r.Err() + if err != nil { + return err + } + allErrs := []error{} + err = r.Visit(func(info *resource.Info, err error) error { + if err != nil { + return err + } + objectName := info.Name + podTemplateSpec, err := GetPodTemplateForObject(info.Object) + if err != nil { + return fmt.Errorf(" %q cannot create pod: %v", objectName, err) + } + err = CheckStatefulSetWithWolumeClaimTemplates(info.Object) + if err != nil { + return err + } + review := &securityapi.PodSecurityPolicyReview{ + Spec: securityapi.PodSecurityPolicyReviewSpec{ + Template: *podTemplateSpec, + ServiceAccountNames: o.shortServiceAccountNames, + }, + } + response, err := o.client.PodSecurityPolicyReviews(o.namespace).Create(review) + if err != nil { + return fmt.Errorf("unable to compute Pod Security Policy Review for %q: %v", objectName, err) + } + if err = o.printer.print(info, response, o.out); err != nil { + allErrs = append(allErrs, err) + } + return nil + }) + allErrs = append(allErrs, err) + return utilerrors.NewAggregate(allErrs) +} + +// CheckStatefulSetWithWolumeClaimTemplates checks whether a supplied object is a statefulSet with volumeClaimTemplates +// Currently scc-review and scc-subject-review commands cannot handle correctly this case since validation is not based +// only on podTemplateSpec. +func CheckStatefulSetWithWolumeClaimTemplates(obj runtime.Object) error { + // TODO remove this as soon upstream statefulSet validation for podSpec is fixed. + // Currently podTemplateSpec for a statefulSet is not fully validated + // spec.volumeClaimTemplates info should be propagated down to + // spec.template.spec validateContainers to validate volumeMounts + //https://github.com/openshift/origin/blob/master/vendor/k8s.io/kubernetes/pkg/apis/apps/validation/validation.go#L57 + switch r := obj.(type) { + case *apps.StatefulSet: + if len(r.Spec.VolumeClaimTemplates) > 0 { + return fmt.Errorf("StatefulSet %q with spec.volumeClaimTemplates currently not supported.", r.GetName()) + } + } + return nil +} + +func GetPodTemplateForObject(obj runtime.Object) (*kapi.PodTemplateSpec, error) { + podSpec, _, err := ometa.GetPodSpec(obj) + if err != nil { + return nil, err + } + return &kapi.PodTemplateSpec{Spec: *podSpec}, nil +} + +type sccReviewPrinter interface { + print(*resource.Info, runtime.Object, io.Writer) error +} + +type sccReviewOutputPrinter struct { + kubectl.ResourcePrinter +} + +var _ sccReviewPrinter = &sccReviewOutputPrinter{} + +func (s *sccReviewOutputPrinter) print(unused *resource.Info, obj runtime.Object, out io.Writer) error { + return s.ResourcePrinter.PrintObj(obj, out) +} + +type sccReviewHumanReadablePrinter struct { + noHeaders bool +} + +var _ sccReviewPrinter = &sccReviewHumanReadablePrinter{} + +const ( + sccReviewTabWriterMinWidth = 0 + sccReviewTabWriterWidth = 7 + sccReviewTabWriterPadding = 3 + sccReviewTabWriterPadChar = ' ' + sccReviewTabWriterFlags = 0 +) + +func (s *sccReviewHumanReadablePrinter) print(info *resource.Info, obj runtime.Object, out io.Writer) error { + w := tabwriter.NewWriter(out, sccReviewTabWriterMinWidth, sccReviewTabWriterWidth, sccReviewTabWriterPadding, sccReviewTabWriterPadChar, sccReviewTabWriterFlags) + defer w.Flush() + if s.noHeaders == false { + columns := []string{"RESOURCE", "SERVICE ACCOUNT", "ALLOWED BY"} + fmt.Fprintf(w, "%s\t\n", strings.Join(columns, "\t")) + s.noHeaders = true // printed only the first time if requested + } + pspreview, ok := obj.(*securityapi.PodSecurityPolicyReview) + if !ok { + return fmt.Errorf("unexpected object %T", obj) + } + gvk, _, err := kapi.Scheme.ObjectKind(info.Object) + if err != nil { + return err + } + kind := gvk.Kind + for _, allowedSA := range pspreview.Status.AllowedServiceAccounts { + allowedBy := "" + if allowedSA.AllowedBy != nil { + allowedBy = allowedSA.AllowedBy.Name + } + _, err := fmt.Fprintf(w, "%s/%s\t%s\t%s\t\n", kind, info.Name, allowedSA.Name, allowedBy) + if err != nil { + return err + } + } + return nil +} diff --git a/pkg/cmd/admin/policy/subject_review.go b/pkg/cmd/admin/policy/subject_review.go new file mode 100644 index 000000000000..32b8df504adf --- /dev/null +++ b/pkg/cmd/admin/policy/subject_review.go @@ -0,0 +1,266 @@ +package policy + +import ( + "fmt" + "io" + "strings" + "text/tabwriter" + + "github.com/spf13/cobra" + + kapi "k8s.io/kubernetes/pkg/api" + "k8s.io/kubernetes/pkg/api/meta" + "k8s.io/kubernetes/pkg/kubectl" + kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util" + "k8s.io/kubernetes/pkg/kubectl/resource" + "k8s.io/kubernetes/pkg/runtime" + "k8s.io/kubernetes/pkg/serviceaccount" + utilerrors "k8s.io/kubernetes/pkg/util/errors" + + "github.com/openshift/origin/pkg/client" + "github.com/openshift/origin/pkg/cmd/templates" + "github.com/openshift/origin/pkg/cmd/util/clientcmd" + securityapi "github.com/openshift/origin/pkg/security/api" +) + +var ( + subjectReviewLong = templates.LongDesc(`Check whether a User, Service Account or a Group can create a Pod. + It returns a list of Security Context Constraints that will admit the resource. + If User is specified but not Groups, it is interpreted as "What if User is not a member of any groups". + If User and Groups are empty, then the check is performed using the current user + `) + subjectReviewExamples = templates.Examples(`# Check whether user bob can create a pod specified in myresource.yaml + $ %[1]s -u bob -f myresource.yaml + + # Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml + $ %[1]s -u bob -g projectAdmin -f myresource.yaml + + # Check whether ServiceAccount specified in podTemplateSpec in myresourcewithsa.yaml can create the Pod + $ %[1]s -f myresourcewithsa.yaml `) +) + +const SubjectReviewRecommendedName = "scc-subject-review" + +type sccSubjectReviewOptions struct { + sccSubjectReviewClient client.PodSecurityPolicySubjectReviewsNamespacer + sccSelfSubjectReviewClient client.PodSecurityPolicySelfSubjectReviewsNamespacer + namespace string + enforceNamespace bool + out io.Writer + mapper meta.RESTMapper + typer runtime.ObjectTyper + RESTClientFactory func(mapping *meta.RESTMapping) (resource.RESTClient, error) + printer sccSubjectReviewPrinter + FilenameOptions resource.FilenameOptions + User string + Groups []string + serviceAccount string +} + +func NewCmdSccSubjectReview(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command { + o := &sccSubjectReviewOptions{} + cmd := &cobra.Command{ + Use: name, + Long: subjectReviewLong, + Short: "Check whether a user or a ServiceAccount can create a Pod.", + Example: fmt.Sprintf(subjectReviewExamples, fullName, fullName), + Run: func(cmd *cobra.Command, args []string) { + kcmdutil.CheckErr(o.Complete(f, args, cmd, out)) + kcmdutil.CheckErr(o.Run(args)) + }, + } + + cmd.Flags().StringVarP(&o.User, "user", "u", o.User, "Review will be performed on behalf of this user") + cmd.Flags().StringSliceVarP(&o.Groups, "groups", "g", o.Groups, "Comma separated, list of groups. Review will be performed on behalf of these groups") + cmd.Flags().StringVarP(&o.serviceAccount, "serviceaccount", "z", o.serviceAccount, "service account in the current namespace to use as a user") + kcmdutil.AddFilenameOptionFlags(cmd, &o.FilenameOptions, "Filename, directory, or URL to a file identifying the resource to get from a server.") + kcmdutil.AddPrinterFlags(cmd) + return cmd +} + +func (o *sccSubjectReviewOptions) Complete(f *clientcmd.Factory, args []string, cmd *cobra.Command, out io.Writer) error { + if len(args) == 0 && len(o.FilenameOptions.Filenames) == 0 { + return kcmdutil.UsageError(cmd, cmd.Use) + } + if len(o.User) > 0 && len(o.serviceAccount) > 0 { + return fmt.Errorf("--user and --serviceaccount are mutually exclusive") + } + if strings.HasPrefix(o.serviceAccount, serviceaccount.ServiceAccountUsernamePrefix) { + _, user, err := serviceaccount.SplitUsername(o.serviceAccount) + if err != nil { + return err + } + o.serviceAccount = user + } + var err error + o.namespace, o.enforceNamespace, err = f.DefaultNamespace() + if err != nil { + return err + } + oclient, _, err := f.Clients() + if err != nil { + return fmt.Errorf("unable to obtain client: %v", err) + } + o.sccSubjectReviewClient = oclient + o.sccSelfSubjectReviewClient = oclient + o.mapper, o.typer = f.Object() + o.RESTClientFactory = f.ClientForMapping + + if len(kcmdutil.GetFlagString(cmd, "output")) != 0 { + clientConfig, err := f.ClientConfig() + if err != nil { + return err + } + version, err := kcmdutil.OutputVersion(cmd, clientConfig.GroupVersion) + if err != nil { + return err + } + p, _, err := kcmdutil.PrinterForCommand(cmd) + if err != nil { + return err + } + o.printer = &sccSubjectReviewOutputPrinter{kubectl.NewVersionedPrinter(p, kapi.Scheme, version)} + } else { + o.printer = &sccSubjectReviewHumanReadablePrinter{noHeaders: kcmdutil.GetFlagBool(cmd, "no-headers")} + } + o.out = out + return nil +} + +func (o *sccSubjectReviewOptions) Run(args []string) error { + userOrSA := o.User + if len(o.serviceAccount) > 0 { + userOrSA = o.serviceAccount + } + r := resource.NewBuilder(o.mapper, o.typer, resource.ClientMapperFunc(o.RESTClientFactory), kapi.Codecs.UniversalDecoder()). + NamespaceParam(o.namespace). + FilenameParam(o.enforceNamespace, &o.FilenameOptions). + ResourceTypeOrNameArgs(true, args...). + ContinueOnError(). + Flatten(). + Do() + err := r.Err() + if err != nil { + return err + } + + allErrs := []error{} + err = r.Visit(func(info *resource.Info, err error) error { + if err != nil { + return err + } + var response runtime.Object + objectName := info.Name + podTemplateSpec, err := GetPodTemplateForObject(info.Object) + if err != nil { + return fmt.Errorf(" %q cannot create pod: %v", objectName, err) + } + err = CheckStatefulSetWithWolumeClaimTemplates(info.Object) + if err != nil { + return err + } + if len(userOrSA) > 0 || len(o.Groups) > 0 { + response, err = o.pspSubjectReview(userOrSA, podTemplateSpec) + } else { + response, err = o.pspSelfSubjectReview(podTemplateSpec) + } + if err != nil { + return fmt.Errorf("unable to compute Pod Security Policy Subject Review for %q: %v", objectName, err) + } + if err := o.printer.print(info, response, o.out); err != nil { + allErrs = append(allErrs, err) + } + return nil + }) + allErrs = append(allErrs, err) + return utilerrors.NewAggregate(allErrs) +} + +func (o *sccSubjectReviewOptions) pspSubjectReview(userOrSA string, podTemplateSpec *kapi.PodTemplateSpec) (*securityapi.PodSecurityPolicySubjectReview, error) { + podSecurityPolicySubjectReview := &securityapi.PodSecurityPolicySubjectReview{ + Spec: securityapi.PodSecurityPolicySubjectReviewSpec{ + Template: *podTemplateSpec, + User: userOrSA, + Groups: o.Groups, + }, + } + return o.sccSubjectReviewClient.PodSecurityPolicySubjectReviews(o.namespace).Create(podSecurityPolicySubjectReview) +} + +func (o *sccSubjectReviewOptions) pspSelfSubjectReview(podTemplateSpec *kapi.PodTemplateSpec) (*securityapi.PodSecurityPolicySelfSubjectReview, error) { + podSecurityPolicySelfSubjectReview := &securityapi.PodSecurityPolicySelfSubjectReview{ + Spec: securityapi.PodSecurityPolicySelfSubjectReviewSpec{ + Template: *podTemplateSpec, + }, + } + return o.sccSelfSubjectReviewClient.PodSecurityPolicySelfSubjectReviews(o.namespace).Create(podSecurityPolicySelfSubjectReview) +} + +type sccSubjectReviewPrinter interface { + print(*resource.Info, runtime.Object, io.Writer) error +} + +type sccSubjectReviewOutputPrinter struct { + kubectl.ResourcePrinter +} + +var _ sccSubjectReviewPrinter = &sccSubjectReviewOutputPrinter{} + +func (s *sccSubjectReviewOutputPrinter) print(unused *resource.Info, obj runtime.Object, out io.Writer) error { + return s.ResourcePrinter.PrintObj(obj, out) +} + +type sccSubjectReviewHumanReadablePrinter struct { + noHeaders bool +} + +var _ sccSubjectReviewPrinter = &sccSubjectReviewHumanReadablePrinter{} + +const ( + sccSubjectReviewTabWriterMinWidth = 0 + sccSubjectReviewTabWriterWidth = 7 + sccSubjectReviewTabWriterPadding = 3 + sccSubjectReviewTabWriterPadChar = ' ' + sccSubjectReviewTabWriterFlags = 0 +) + +func (s *sccSubjectReviewHumanReadablePrinter) print(info *resource.Info, obj runtime.Object, out io.Writer) error { + w := tabwriter.NewWriter(out, sccSubjectReviewTabWriterMinWidth, sccSubjectReviewTabWriterWidth, sccSubjectReviewTabWriterPadding, sccSubjectReviewTabWriterPadChar, sccSubjectReviewTabWriterFlags) + defer w.Flush() + if s.noHeaders == false { + columns := []string{"RESOURCE", "ALLOWED BY"} + fmt.Fprintf(w, "%s\t\n", strings.Join(columns, "\t")) + s.noHeaders = true // printed only the first time if requested + } + gvk, _, err := kapi.Scheme.ObjectKind(info.Object) + if err != nil { + return err + } + kind := gvk.Kind + allowedBy, err := getAllowedBy(obj) + if err != nil { + return err + } + _, err = fmt.Fprintf(w, "%s/%s\t%s\t\n", kind, info.Name, allowedBy) + if err != nil { + return err + } + return nil +} + +func getAllowedBy(obj runtime.Object) (string, error) { + value := "" + switch review := obj.(type) { + case *securityapi.PodSecurityPolicySelfSubjectReview: + if review.Status.AllowedBy != nil { + value = review.Status.AllowedBy.Name + } + case *securityapi.PodSecurityPolicySubjectReview: + if review.Status.AllowedBy != nil { + value = review.Status.AllowedBy.Name + } + default: + return value, fmt.Errorf("unexpected object %T", obj) + } + return value, nil +} diff --git a/pkg/cmd/cli/policy/policy.go b/pkg/cmd/cli/policy/policy.go index 84d977b263f2..a76a6a4df9f8 100644 --- a/pkg/cmd/cli/policy/policy.go +++ b/pkg/cmd/cli/policy/policy.go @@ -23,6 +23,8 @@ func NewCmdPolicy(name, fullName string, f *clientcmd.Factory, out, errOut io.Wr cmds.AddCommand(adminpolicy.NewCmdWhoCan(adminpolicy.WhoCanRecommendedName, fullName+" "+adminpolicy.WhoCanRecommendedName, f, out)) cmds.AddCommand(adminpolicy.NewCmdCanI(adminpolicy.CanIRecommendedName, fullName+" "+adminpolicy.CanIRecommendedName, f, out)) + cmds.AddCommand(adminpolicy.NewCmdSccSubjectReview(adminpolicy.SubjectReviewRecommendedName, fullName+" "+adminpolicy.SubjectReviewRecommendedName, f, out)) + cmds.AddCommand(adminpolicy.NewCmdSccReview(adminpolicy.ReviewRecommendedName, fullName+" "+adminpolicy.ReviewRecommendedName, f, out)) cmds.AddCommand(adminpolicy.NewCmdAddRoleToUser(adminpolicy.AddRoleToUserRecommendedName, fullName+" "+adminpolicy.AddRoleToUserRecommendedName, f, out)) cmds.AddCommand(adminpolicy.NewCmdRemoveRoleFromUser(adminpolicy.RemoveRoleFromUserRecommendedName, fullName+" "+adminpolicy.RemoveRoleFromUserRecommendedName, f, out)) diff --git a/test/cmd/policy.sh b/test/cmd/policy.sh index 2cdc24a379d6..0023770568ff 100755 --- a/test/cmd/policy.sh +++ b/test/cmd/policy.sh @@ -98,6 +98,40 @@ os::cmd::expect_success_and_not_text 'oc policy can-i --list --user harold --gro os::cmd::expect_success_and_text 'oc policy can-i --list --user harold --groups system:authenticated' 'create get.*buildconfigs/webhooks' +os::cmd::expect_failure 'oc policy scc-subject-review' +os::cmd::expect_failure 'oc policy scc-review' +os::cmd::expect_failure_and_text 'oc policy scc-subject-review -f ${OS_ROOT}/test/testdata/pspreview_unsupported_statefulset.yaml' 'error: StatefulSet "rd" with spec.volumeClaimTemplates currently not supported.' +os::cmd::expect_failure_and_text 'oc policy scc-review -f ${OS_ROOT}/test/testdata/pspreview_unsupported_statefulset.yaml' 'error: StatefulSet "rd" with spec.volumeClaimTemplates currently not supported.' +os::cmd::expect_success_and_text 'oc policy scc-subject-review -f ${OS_ROOT}/test/testdata/job.yaml -o=jsonpath={.status.AllowedBy.name}' 'anyuid' +os::cmd::expect_success_and_text 'oc policy scc-subject-review -f ${OS_ROOT}/test/testdata/redis-slave.yaml -o=jsonpath={.status.AllowedBy.name}' 'anyuid' +os::cmd::expect_success_and_text 'oc policy scc-subject-review -f ${OS_ROOT}/test/testdata/nginx_pod.yaml -o=jsonpath={.status.AllowedBy.name}' 'privileged' +os::cmd::expect_success "oc login -u bob -p bob" +os::cmd::expect_success_and_text 'oc whoami' 'bob' +os::cmd::expect_success 'oc new-project bob' +os::cmd::expect_success_and_text 'oc policy scc-subject-review -f ${OS_ROOT}/test/testdata/job.yaml -o=jsonpath={.status.AllowedBy.name}' 'restricted' +os::cmd::expect_success_and_text 'oc policy scc-subject-review -f ${OS_ROOT}/test/testdata/job.yaml --no-headers=true' 'Job/hello restricted' +os::cmd::expect_success_and_text 'oc policy scc-subject-review -f ${OS_ROOT}/test/testdata/two_jobs.yaml -o=jsonpath={.status.AllowedBy.name}' 'restrictedrestricted' +os::cmd::expect_success_and_text 'oc policy scc-review -f ${OS_ROOT}/test/testdata/job.yaml -ojsonpath={.status.allowedServiceAccounts}' '\[\]' +os::cmd::expect_success_and_text 'oc policy scc-review -f ${OS_ROOT}/test/extended/testdata/deployments/deployment-simple.yaml -ojsonpath={.status.allowedServiceAccounts}' '\[\]' +os::cmd::expect_failure 'oc policy scc-subject-review -f ${OS_ROOT}/test/testdata/external-service.yaml' +os::cmd::expect_success "oc login -u system:admin -n '${project}'" +os::cmd::expect_success_and_text 'oc policy scc-subject-review -u bob -g system:authenticated -f ${OS_ROOT}/test/testdata/job.yaml -n bob -o=jsonpath={.status.AllowedBy.name}' 'restricted' +os::cmd::expect_success_and_text 'oc policy scc-subject-review -u bob -f ${OS_ROOT}/test/testdata/job.yaml -n bob --no-headers=true' 'Job/hello ' +os::cmd::expect_success_and_text 'oc policy scc-subject-review -z default -f ${OS_ROOT}/test/testdata/job.yaml' '' +os::cmd::expect_success_and_text 'oc policy scc-subject-review -z default -g system:authenticated -f ${OS_ROOT}/test/testdata/job.yaml' 'restricted' +os::cmd::expect_failure_and_text 'oc policy scc-subject-review -u alice -z default -g system:authenticated -f ${OS_ROOT}/test/testdata/job.yaml' 'error: --user and --serviceaccount are mutually exclusive' +os::cmd::expect_success_and_text 'oc policy scc-subject-review -z system:serviceaccount:alice:default -g system:authenticated -f ${OS_ROOT}/test/testdata/job.yaml' 'restricted' +os::cmd::expect_success_and_text 'oc policy scc-subject-review -u alice -g system:authenticated -f ${OS_ROOT}/test/testdata/job.yaml' 'restricted' +os::cmd::expect_success 'oc create -f ${OS_ROOT}/test/testdata/scc_lax.yaml' +os::cmd::expect_success "oc login -u bob -p bob" +os::cmd::expect_success_and_text 'oc policy scc-review -f ${OS_ROOT}/test/testdata/job.yaml --no-headers=true' 'Job/hello default lax' +os::cmd::expect_success_and_text 'oc policy scc-review -z default -f ${OS_ROOT}/test/testdata/job.yaml --no-headers=true' 'Job/hello default lax' +os::cmd::expect_success_and_text 'oc policy scc-review -z system:serviceaccount:bob:default -f ${OS_ROOT}/test/testdata/job.yaml --no-headers=true' 'Job/hello default lax' +os::cmd::expect_success_and_text 'oc policy scc-review -f ${OS_ROOT}/test/extended/testdata/deployments/deployment-simple.yaml --no-headers=true' 'DeploymentConfig/deployment-simple default lax' +os::cmd::expect_success_and_text 'oc policy scc-review -f ${OS_ROOT}/test/testdata/nginx_pod.yaml --no-headers=true' '' +os::cmd::expect_success "oc login -u system:admin -n '${project}'" +os::cmd::expect_success 'oc delete project bob' + # adjust the cluster-admin role to check defaulting and coverage checks # this is done here instead of an integration test because we need to make sure the actual yaml serializations work diff --git a/test/testdata/job.yaml b/test/testdata/job.yaml new file mode 100644 index 000000000000..964e3173d978 --- /dev/null +++ b/test/testdata/job.yaml @@ -0,0 +1,14 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: hello +spec: + template: + metadata: + name: hello + spec: + containers: + - name: hello + image: python:3.5.1 + command: ["python", "-c", "print('Hello world!')"] + restartPolicy: Never diff --git a/test/testdata/nginx_pod.yaml b/test/testdata/nginx_pod.yaml new file mode 100644 index 000000000000..9aaa691bab5e --- /dev/null +++ b/test/testdata/nginx_pod.yaml @@ -0,0 +1,19 @@ +kind: Pod +id: nginx-mysql +apiVersion: v1 +metadata: + name: nginx-mysql + labels: + name: nginx-mysql +spec: + containers: + - name: nginx + image: nginx + ports: + - hostPort: 85 + containerPort: 80 + - name: mysql + image: mysql + ports: + - hostPort: 3306 + containerPort: 3306 diff --git a/test/testdata/pspreview_unsupported_statefulset.yaml b/test/testdata/pspreview_unsupported_statefulset.yaml new file mode 100644 index 000000000000..986196192957 --- /dev/null +++ b/test/testdata/pspreview_unsupported_statefulset.yaml @@ -0,0 +1,97 @@ +apiVersion: apps/v1beta1 +kind: StatefulSet +metadata: + name: rd +spec: + serviceName: "redis" + replicas: 3 + template: + metadata: + labels: + app: redis + annotations: + pod.alpha.kubernetes.io/initialized: "true" + pod.alpha.kubernetes.io/init-containers: '[ + { + "name": "install", + "image": "gcr.io/google_containers/redis-install:0.1", + "imagePullPolicy": "Always", + "args": ["--version=3.2.0", "--install-into=/opt", "--work-dir=/work-dir"], + "volumeMounts": [ + { + "name": "opt", + "mountPath": "/opt" + }, + { + "name": "workdir", + "mountPath": "/work-dir" + } + ] + }, + { + "name": "bootstrap", + "image": "debian:jessie", + "command": ["/work-dir/peer-finder"], + "args": ["-on-start=\"/work-dir/on-start.sh\"", "-service=redis"], + "env": [ + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + } + ], + "volumeMounts": [ + { + "name": "opt", + "mountPath": "/opt" + }, + { + "name": "workdir", + "mountPath": "/work-dir" + } + ] + } + ]' + spec: + containers: + - name: redis + image: debian:jessie + ports: + - containerPort: 6379 + name: peer + command: + - /opt/redis/redis-server + args: + - /opt/redis/redis.conf + readinessProbe: + exec: + command: + - sh + - -c + - "/opt/redis/redis-cli -h $(hostname) ping" + initialDelaySeconds: 15 + timeoutSeconds: 5 + volumeMounts: + - name: datadir + mountPath: /data + - name: opt + mountPath: /opt + volumes: + - name: opt + emptyDir: {} + - name: workdir + emptyDir: {} + volumeClaimTemplates: + - metadata: + name: datadir + annotations: + volume.alpha.kubernetes.io/storage-class: anything + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: 20Gi diff --git a/test/testdata/redis-slave.yaml b/test/testdata/redis-slave.yaml new file mode 100644 index 000000000000..0948371e1828 --- /dev/null +++ b/test/testdata/redis-slave.yaml @@ -0,0 +1,44 @@ +apiVersion: extensions/v1beta1 +kind: ReplicaSet +metadata: + name: redis-slave + # these labels can be applied automatically + # from the labels in the pod template if not set + # labels: + # app: redis + # role: slave + # tier: backend +spec: + # this replicas value is default + # modify it according to your case + replicas: 2 + # selector can be applied automatically + # from the labels in the pod template if not set + # selector: + # app: guestbook + # role: slave + # tier: backend + template: + metadata: + labels: + app: redis + role: slave + tier: backend + spec: + containers: + - name: slave + image: gcr.io/google_samples/gb-redisslave:v1 + resources: + requests: + cpu: 100m + memory: 100Mi + env: + - name: GET_HOSTS_FROM + value: dns + # If your cluster config does not include a dns service, then to + # instead access an environment variable to find the master + # service's host, comment out the 'value: dns' line above, and + # uncomment the line below. + # value: env + ports: + - containerPort: 6379 diff --git a/test/testdata/scc_lax.yaml b/test/testdata/scc_lax.yaml new file mode 100644 index 000000000000..71a2bcbf84ee --- /dev/null +++ b/test/testdata/scc_lax.yaml @@ -0,0 +1,14 @@ +kind: SecurityContextConstraints +apiVersion: v1 +metadata: + name: lax +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +fsGroup: + type: RunAsAny +supplementalGroups: + type: RunAsAny +groups: +- system:serviceaccounts diff --git a/test/testdata/two_jobs.yaml b/test/testdata/two_jobs.yaml new file mode 100644 index 000000000000..e131a99461d2 --- /dev/null +++ b/test/testdata/two_jobs.yaml @@ -0,0 +1,29 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: hello +spec: + template: + metadata: + name: hello + spec: + containers: + - name: hello + image: python:3.5.1 + command: ["python", "-c", "print('Hello world!')"] + restartPolicy: Never +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: hello2 +spec: + template: + metadata: + name: hello + spec: + containers: + - name: hello + image: python:3.5.1 + command: ["python", "-c", "print('Hello world!')"] + restartPolicy: Never