OpenShift CLI administrator command reference

This reference provides descriptions and example commands for OpenShift CLI (oc) administrator commands. You must have cluster-admin or equivalent permissions to use these commands.

For developer commands, see the OpenShift CLI developer command reference.

Run oc adm -h to list all administrator commands or run oc <command> --help to get additional details for a specific command.

OpenShift CLI (oc) administrator commands

oc adm build-chain

Output the inputs and dependencies of your builds

Example usage

  1. # Build the dependency tree for the 'latest' tag in <image-stream>
  2. oc adm build-chain <image-stream>
  3. # Build the dependency tree for the 'v2' tag in dot format and visualize it via the dot utility
  4. oc adm build-chain <image-stream>:v2 -o dot | dot -T svg -o deps.svg
  5. # Build the dependency tree across all namespaces for the specified image stream tag found in the 'test' namespace
  6. oc adm build-chain <image-stream> -n test --all

oc adm catalog mirror

Mirror an operator-registry catalog

Example usage

  1. # Mirror an operator-registry image and its contents to a registry
  2. oc adm catalog mirror quay.io/my/image:latest myregistry.com
  3. # Mirror an operator-registry image and its contents to a particular namespace in a registry
  4. oc adm catalog mirror quay.io/my/image:latest myregistry.com/my-namespace
  5. # Mirror to an airgapped registry by first mirroring to files
  6. oc adm catalog mirror quay.io/my/image:latest file:///local/index
  7. oc adm catalog mirror file:///local/index/my/image:latest my-airgapped-registry.com
  8. # Configure a cluster to use a mirrored registry
  9. oc apply -f manifests/imageContentSourcePolicy.yaml
  10. # Edit the mirroring mappings and mirror with "oc image mirror" manually
  11. oc adm catalog mirror --manifests-only quay.io/my/image:latest myregistry.com
  12. oc image mirror -f manifests/mapping.txt
  13. # Delete all ImageContentSourcePolicies generated by oc adm catalog mirror
  14. oc delete imagecontentsourcepolicy -l operators.openshift.org/catalog=true

oc adm certificate approve

Approve a certificate signing request

Example usage

  1. # Approve CSR 'csr-sqgzp'
  2. oc adm certificate approve csr-sqgzp

oc adm certificate deny

Deny a certificate signing request

Example usage

  1. # Deny CSR 'csr-sqgzp'
  2. oc adm certificate deny csr-sqgzp

oc adm cordon

Mark node as unschedulable

Example usage

  1. # Mark node "foo" as unschedulable
  2. oc adm cordon foo

oc adm create-bootstrap-project-template

Create a bootstrap project template

Example usage

  1. # Output a bootstrap project template in YAML format to stdout
  2. oc adm create-bootstrap-project-template -o yaml

oc adm create-error-template

Create an error page template

Example usage

  1. # Output a template for the error page to stdout
  2. oc adm create-error-template

oc adm create-login-template

Create a login template

Example usage

  1. # Output a template for the login page to stdout
  2. oc adm create-login-template

oc adm create-provider-selection-template

Create a provider selection template

Example usage

  1. # Output a template for the provider selection page to stdout
  2. oc adm create-provider-selection-template

oc adm drain

Drain node in preparation for maintenance

Example usage

  1. # Drain node "foo", even if there are pods not managed by a replication controller, replica set, job, daemon set or stateful set on it
  2. oc adm drain foo --force
  3. # As above, but abort if there are pods not managed by a replication controller, replica set, job, daemon set or stateful set, and use a grace period of 15 minutes
  4. oc adm drain foo --grace-period=900

oc adm groups add-users

Add users to a group

Example usage

  1. # Add user1 and user2 to my-group
  2. oc adm groups add-users my-group user1 user2

oc adm groups new

Create a new group

Example usage

  1. # Add a group with no users
  2. oc adm groups new my-group
  3. # Add a group with two users
  4. oc adm groups new my-group user1 user2
  5. # Add a group with one user and shorter output
  6. oc adm groups new my-group user1 -o name

oc adm groups prune

Remove old OpenShift groups referencing missing records from an external provider

Example usage

  1. # Prune all orphaned groups
  2. oc adm groups prune --sync-config=/path/to/ldap-sync-config.yaml --confirm
  3. # Prune all orphaned groups except the ones from the blacklist file
  4. oc adm groups prune --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
  5. # Prune all orphaned groups from a list of specific groups specified in a whitelist file
  6. oc adm groups prune --whitelist=/path/to/whitelist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
  7. # Prune all orphaned groups from a list of specific groups specified in a whitelist
  8. oc adm groups prune groups/group_name groups/other_name --sync-config=/path/to/ldap-sync-config.yaml --confirm

oc adm groups remove-users

Remove users from a group

Example usage

  1. # Remove user1 and user2 from my-group
  2. oc adm groups remove-users my-group user1 user2

oc adm groups sync

Sync OpenShift groups with records from an external provider

Example usage

  1. # Sync all groups with an LDAP server
  2. oc adm groups sync --sync-config=/path/to/ldap-sync-config.yaml --confirm
  3. # Sync all groups except the ones from the blacklist file with an LDAP server
  4. oc adm groups sync --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
  5. # Sync specific groups specified in a whitelist file with an LDAP server
  6. oc adm groups sync --whitelist=/path/to/whitelist.txt --sync-config=/path/to/sync-config.yaml --confirm
  7. # Sync all OpenShift groups that have been synced previously with an LDAP server
  8. oc adm groups sync --type=openshift --sync-config=/path/to/ldap-sync-config.yaml --confirm
  9. # Sync specific OpenShift groups if they have been synced previously with an LDAP server
  10. oc adm groups sync groups/group1 groups/group2 groups/group3 --sync-config=/path/to/sync-config.yaml --confirm

oc adm inspect

Collect debugging data for a given resource

Example usage

  1. # Collect debugging data for the "openshift-apiserver" clusteroperator
  2. oc adm inspect clusteroperator/openshift-apiserver
  3. # Collect debugging data for the "openshift-apiserver" and "kube-apiserver" clusteroperators
  4. oc adm inspect clusteroperator/openshift-apiserver clusteroperator/kube-apiserver
  5. # Collect debugging data for all clusteroperators
  6. oc adm inspect clusteroperator
  7. # Collect debugging data for all clusteroperators and clusterversions
  8. oc adm inspect clusteroperators,clusterversions

oc adm migrate template-instances

Update template instances to point to the latest group-version-kinds

Example usage

  1. # Perform a dry-run of updating all objects
  2. oc adm migrate template-instances
  3. # To actually perform the update, the confirm flag must be appended
  4. oc adm migrate template-instances --confirm

oc adm must-gather

Launch a new instance of a pod for gathering debug information

Example usage

  1. # Gather information using the default plug-in image and command, writing into ./must-gather.local.<rand>
  2. oc adm must-gather
  3. # Gather information with a specific local folder to copy to
  4. oc adm must-gather --dest-dir=/local/directory
  5. # Gather audit information
  6. oc adm must-gather -- /usr/bin/gather_audit_logs
  7. # Gather information using multiple plug-in images
  8. oc adm must-gather --image=quay.io/kubevirt/must-gather --image=quay.io/openshift/origin-must-gather
  9. # Gather information using a specific image stream plug-in
  10. oc adm must-gather --image-stream=openshift/must-gather:latest
  11. # Gather information using a specific image, command, and pod-dir
  12. oc adm must-gather --image=my/image:tag --source-dir=/pod/directory -- myspecial-command.sh

oc adm new-project

Create a new project

Example usage

  1. # Create a new project using a node selector
  2. oc adm new-project myproject --node-selector='type=user-node,region=east'

oc adm node-logs

Display and filter node logs

Example usage

  1. # Show kubelet logs from all masters
  2. oc adm node-logs --role master -u kubelet
  3. # See what logs are available in masters in /var/logs
  4. oc adm node-logs --role master --path=/
  5. # Display cron log file from all masters
  6. oc adm node-logs --role master --path=cron

oc adm pod-network isolate-projects

Isolate project network

Example usage

  1. # Provide isolation for project p1
  2. oc adm pod-network isolate-projects <p1>
  3. # Allow all projects with label name=top-secret to have their own isolated project network
  4. oc adm pod-network isolate-projects --selector='name=top-secret'

oc adm pod-network join-projects

Join project network

Example usage

  1. # Allow project p2 to use project p1 network
  2. oc adm pod-network join-projects --to=<p1> <p2>
  3. # Allow all projects with label name=top-secret to use project p1 network
  4. oc adm pod-network join-projects --to=<p1> --selector='name=top-secret'

oc adm pod-network make-projects-global

Make project network global

Example usage

  1. # Allow project p1 to access all pods in the cluster and vice versa
  2. oc adm pod-network make-projects-global <p1>
  3. # Allow all projects with label name=share to access all pods in the cluster and vice versa
  4. oc adm pod-network make-projects-global --selector='name=share'

oc adm policy add-role-to-user

Add a role to users or service accounts for the current project

Example usage

  1. # Add the 'view' role to user1 for the current project
  2. oc adm policy add-role-to-user view user1
  3. # Add the 'edit' role to serviceaccount1 for the current project
  4. oc adm policy add-role-to-user edit -z serviceaccount1

oc adm policy add-scc-to-group

Add a security context constraint to groups

Example usage

  1. # Add the 'restricted' security context constraint to group1 and group2
  2. oc adm policy add-scc-to-group restricted group1 group2

oc adm policy add-scc-to-user

Add a security context constraint to users or a service account

Example usage

  1. # Add the 'restricted' security context constraint to user1 and user2
  2. oc adm policy add-scc-to-user restricted user1 user2
  3. # Add the 'privileged' security context constraint to serviceaccount1 in the current namespace
  4. oc adm policy add-scc-to-user privileged -z serviceaccount1

oc adm policy scc-review

Check which service account can create a pod

Example usage

  1. # Check whether service accounts sa1 and sa2 can admit a pod with a template pod spec specified in my_resource.yaml
  2. # Service Account specified in myresource.yaml file is ignored
  3. oc adm policy scc-review -z sa1,sa2 -f my_resource.yaml
  4. # Check whether service accounts system:serviceaccount:bob:default can admit a pod with a template pod spec specified in my_resource.yaml
  5. oc adm policy scc-review -z system:serviceaccount:bob:default -f my_resource.yaml
  6. # Check whether the service account specified in my_resource_with_sa.yaml can admit the pod
  7. oc adm policy scc-review -f my_resource_with_sa.yaml
  8. # Check whether the default service account can admit the pod; default is taken since no service account is defined in myresource_with_no_sa.yaml
  9. oc adm policy scc-review -f myresource_with_no_sa.yaml

oc adm policy scc-subject-review

Check whether a user or a service account can create a pod

Example usage

  1. # Check whether user bob can create a pod specified in myresource.yaml
  2. oc adm policy scc-subject-review -u bob -f myresource.yaml
  3. # Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml
  4. oc adm policy scc-subject-review -u bob -g projectAdmin -f myresource.yaml
  5. # Check whether a service account specified in the pod template spec in myresourcewithsa.yaml can create the pod
  6. oc adm policy scc-subject-review -f myresourcewithsa.yaml

oc adm prune builds

Remove old completed and failed builds

Example usage

  1. # Dry run deleting older completed and failed builds and also including
  2. # all builds whose associated build config no longer exists
  3. oc adm prune builds --orphans
  4. # To actually perform the prune operation, the confirm flag must be appended
  5. oc adm prune builds --orphans --confirm

oc adm prune deployments

Remove old completed and failed deployment configs

Example usage

  1. # Dry run deleting all but the last complete deployment for every deployment config
  2. oc adm prune deployments --keep-complete=1
  3. # To actually perform the prune operation, the confirm flag must be appended
  4. oc adm prune deployments --keep-complete=1 --confirm

oc adm prune groups

Remove old OpenShift groups referencing missing records from an external provider

Example usage

  1. # Prune all orphaned groups
  2. oc adm prune groups --sync-config=/path/to/ldap-sync-config.yaml --confirm
  3. # Prune all orphaned groups except the ones from the blacklist file
  4. oc adm prune groups --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
  5. # Prune all orphaned groups from a list of specific groups specified in a whitelist file
  6. oc adm prune groups --whitelist=/path/to/whitelist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
  7. # Prune all orphaned groups from a list of specific groups specified in a whitelist
  8. oc adm prune groups groups/group_name groups/other_name --sync-config=/path/to/ldap-sync-config.yaml --confirm

oc adm prune images

Remove unreferenced images

Example usage

  1. # See what the prune command would delete if only images and their referrers were more than an hour old
  2. # and obsoleted by 3 newer revisions under the same tag were considered
  3. oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m
  4. # To actually perform the prune operation, the confirm flag must be appended
  5. oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m --confirm
  6. # See what the prune command would delete if we are interested in removing images
  7. # exceeding currently set limit ranges ('openshift.io/Image')
  8. oc adm prune images --prune-over-size-limit
  9. # To actually perform the prune operation, the confirm flag must be appended
  10. oc adm prune images --prune-over-size-limit --confirm
  11. # Force the insecure http protocol with the particular registry host name
  12. oc adm prune images --registry-url=http://registry.example.org --confirm
  13. # Force a secure connection with a custom certificate authority to the particular registry host name
  14. oc adm prune images --registry-url=registry.example.org --certificate-authority=/path/to/custom/ca.crt --confirm

oc adm release extract

Extract the contents of an update payload to disk

Example usage

  1. # Use git to check out the source code for the current cluster release to DIR
  2. oc adm release extract --git=DIR
  3. # Extract cloud credential requests for AWS
  4. oc adm release extract --credentials-requests --cloud=aws
  5. # Use git to check out the source code for the current cluster release to DIR from linux/s390x image
  6. # Note: Wildcard filter is not supported. Pass a single os/arch to extract
  7. oc adm release extract --git=DIR quay.io/openshift-release-dev/ocp-release:4.2.2 --filter-by-os=linux/s390x

oc adm release info

Display information about a release

Example usage

  1. # Show information about the cluster's current release
  2. oc adm release info
  3. # Show the source code that comprises a release
  4. oc adm release info 4.2.2 --commit-urls
  5. # Show the source code difference between two releases
  6. oc adm release info 4.2.0 4.2.2 --commits
  7. # Show where the images referenced by the release are located
  8. oc adm release info quay.io/openshift-release-dev/ocp-release:4.2.2 --pullspecs
  9. # Show information about linux/s390x image
  10. # Note: Wildcard filter is not supported. Pass a single os/arch to extract
  11. oc adm release info quay.io/openshift-release-dev/ocp-release:4.2.2 --filter-by-os=linux/s390x

oc adm release mirror

Mirror a release to a different image registry location

Example usage

  1. # Perform a dry run showing what would be mirrored, including the mirror objects
  2. oc adm release mirror 4.3.0 --to myregistry.local/openshift/release \
  3. --release-image-signature-to-dir /tmp/releases --dry-run
  4. # Mirror a release into the current directory
  5. oc adm release mirror 4.3.0 --to file://openshift/release \
  6. --release-image-signature-to-dir /tmp/releases
  7. # Mirror a release to another directory in the default location
  8. oc adm release mirror 4.3.0 --to-dir /tmp/releases
  9. # Upload a release from the current directory to another server
  10. oc adm release mirror --from file://openshift/release --to myregistry.com/openshift/release \
  11. --release-image-signature-to-dir /tmp/releases
  12. # Mirror the 4.3.0 release to repository registry.example.com and apply signatures to connected cluster
  13. oc adm release mirror --from=quay.io/openshift-release-dev/ocp-release:4.3.0-x86_64 \
  14. --to=registry.example.com/your/repository --apply-release-image-signature

oc adm release new

Create a new OpenShift release

Example usage

  1. # Create a release from the latest origin images and push to a DockerHub repo
  2. oc adm release new --from-image-stream=4.1 -n origin --to-image docker.io/mycompany/myrepo:latest
  3. # Create a new release with updated metadata from a previous release
  4. oc adm release new --from-release registry.svc.ci.openshift.org/origin/release:v4.1 --name 4.1.1 \
  5. --previous 4.1.0 --metadata ... --to-image docker.io/mycompany/myrepo:latest
  6. # Create a new release and override a single image
  7. oc adm release new --from-release registry.svc.ci.openshift.org/origin/release:v4.1 \
  8. cli=docker.io/mycompany/cli:latest --to-image docker.io/mycompany/myrepo:latest
  9. # Run a verification pass to ensure the release can be reproduced
  10. oc adm release new --from-release registry.svc.ci.openshift.org/origin/release:v4.1

oc adm taint

Update the taints on one or more nodes

Example usage

  1. # Update node 'foo' with a taint with key 'dedicated' and value 'special-user' and effect 'NoSchedule'
  2. # If a taint with that key and effect already exists, its value is replaced as specified
  3. oc adm taint nodes foo dedicated=special-user:NoSchedule
  4. # Remove from node 'foo' the taint with key 'dedicated' and effect 'NoSchedule' if one exists
  5. oc adm taint nodes foo dedicated:NoSchedule-
  6. # Remove from node 'foo' all the taints with key 'dedicated'
  7. oc adm taint nodes foo dedicated-
  8. # Add a taint with key 'dedicated' on nodes having label mylabel=X
  9. oc adm taint node -l myLabel=X dedicated=foo:PreferNoSchedule
  10. # Add to node 'foo' a taint with key 'bar' and no value
  11. oc adm taint nodes foo bar:NoSchedule

oc adm top images

Show usage statistics for images

Example usage

  1. # Show usage statistics for images
  2. oc adm top images

oc adm top imagestreams

Show usage statistics for image streams

Example usage

  1. # Show usage statistics for image streams
  2. oc adm top imagestreams

oc adm top node

Display resource (CPU/memory) usage of nodes

Example usage

  1. # Show metrics for all nodes
  2. oc adm top node
  3. # Show metrics for a given node
  4. oc adm top node NODE_NAME

oc adm top pod

Display resource (CPU/memory) usage of pods

Example usage

  1. # Show metrics for all pods in the default namespace
  2. oc adm top pod
  3. # Show metrics for all pods in the given namespace
  4. oc adm top pod --namespace=NAMESPACE
  5. # Show metrics for a given pod and its containers
  6. oc adm top pod POD_NAME --containers
  7. # Show metrics for the pods defined by label name=myLabel
  8. oc adm top pod -l name=myLabel

oc adm uncordon

Mark node as schedulable

Example usage

  1. # Mark node "foo" as schedulable
  2. oc adm uncordon foo

oc adm upgrade

Upgrade a cluster or adjust the upgrade channel

Example usage

  1. # Review the available cluster updates
  2. oc adm upgrade
  3. # Update to the latest version
  4. oc adm upgrade --to-latest=true

oc adm verify-image-signature

Verify the image identity contained in the image signature

Example usage

  1. # Verify the image signature and identity using the local GPG keychain
  2. oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
  3. --expected-identity=registry.local:5000/foo/bar:v1
  4. # Verify the image signature and identity using the local GPG keychain and save the status
  5. oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
  6. --expected-identity=registry.local:5000/foo/bar:v1 --save
  7. # Verify the image signature and identity via exposed registry route
  8. oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
  9. --expected-identity=registry.local:5000/foo/bar:v1 \
  10. --registry-url=docker-registry.foo.com
  11. # Remove all signature verifications from the image
  12. oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 --remove-all

Additional resources