This is a cache of https://docs.openshift.com/acs/4.5/cli/command-reference/roxctl-declarative-config.html. It is a snapshot of the page at 2024-11-24T18:06:47.519+0000.
roxctl d<strong>e</strong>clarativ<strong>e</strong>-config - roxctl CLI command r<strong>e</strong>f<strong>e</strong>r<strong>e</strong>nc<strong>e</strong> | roxctl CLI | R<strong>e</strong>d Hat Advanc<strong>e</strong>d Clust<strong>e</strong>r S<strong>e</strong>curity for Kub<strong>e</strong>rn<strong>e</strong>t<strong>e</strong>s 4.5
&times;

roxctl declarative-config command options inherited from the parent command

The roxctl declarative-config command supports the following options inherited from the parent roxctl command:

Option Description

--ca string

Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the ROX_CA_CeRT_FILe environment variable.

--direct-grpc

Set --direct-grpc for improved connection performance. Alternatively, by setting the ROX_DIReCT_GRPC_CLIeNT environment variable to true, you can enable direct gRPC . The default value is false.

-e, --endpoint string

Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the ROX_eNDPOINT environment variable. The default value is localhost:8443.

--force-http1

Force the use of HTTP/1 for all connections. Alternatively, by setting the ROX_CLIeNT_FORCe_HTTP1 environment variable to true, you can force the use of HTTP/1. The default value is false.

--insecure

enable insecure connection options. Alternatively, by setting the ROX_INSeCURe_CLIeNT environment variable to true, you can enable insecure connection options. The default value is false.

--insecure-skip-tls-verify

Skip the TLS certificate validation. Alternatively, by setting the ROX_INSeCURe_CLIeNT_SKIP_TLS_VeRIFY environment variable to true, you can skip the TLS certificate validation. The default value is false.

--no-color

Disable the color output. Alternatively, by setting the ROX_NO_COLOR environment variable to true, you can disable the color output. The default value is false.

-p, --password string

Specify the password for basic authentication. Alternatively, you can set the password by using the ROX_ADMIN_PASSWORD environment variable.

--plaintext

Use an unencrypted connection. Alternatively, by setting the ROX_PLAINTeXT environment variable to true, you can enable an unencrypted connection. The default value is false.

-s, --server-name string

Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the ROX_SeRVeR_NAMe environment variable.

--token-file string

Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the ROX_API_TOKeN environment variable.

These options are applicable to all the sub-commands of the roxctl declarative-config command.

roxctl declarative-config lint

Lint an existing declarative configuration YAML file.

Usage
$ roxctl declarative-config lint [flags]
Table 2. Options
Option Description

--config-map string

Read the declarative configuration from the --config-map string. If not specified, the configuration is read from the YAML file specified by using the --file flag.

-f, --file string

File containing the declarative configuration in YAML format.

--namespace string

Read the declarative configuration from the --namespace string of the configuration map. If not specified, the namespace specified in the current Kubernetes configuration context is used.

--secret string

Read the declarative configuration from the specified --secret string. If not specified, the configuration is read from the YAML file specified by using the --file flag.

roxctl declarative-config create

Create declarative configurations.

Usage
$ roxctl declarative-config create [flags]
Table 3. Options
Option Description

--config-map string

Write the declarative configuration YAML in the configuration map. If not specified and the --secret flag is also not specified, the generated YAML is printed in the standard output format.

--namespace string

Required if you want to write the declarative configuration YAML to a configuration map or secret. If not specified, the default namespace in the current Kubernetes configuration is used.

--secret string

Write the declarative configuration YAML in the Secret. You must use secrets for sensitive data. If not specified and the --config-map flag is also not specified, the generated YAML is printed in the standard output format.

roxctl declarative-config create role

Create a declarative configuration for a role.

Usage
$ roxctl declarative-config create role [flags]
Table 4. Options
Option Description

--access-scope string

By providing the name, you can specify the referenced access scope.

--description string

Set a description for the role.

--name string

Specify the name of the role.

--permission-set string

By providing the name, you can specify the referenced permission set.

roxctl declarative-config create notifier

Create a declarative configuration for a notifier.

Usage
$ roxctl declarative-config create notifier [flags]
Table 5. Options
Option Description

--name string

Specify the name of the notifier.

roxctl declarative-config create access-scope

Create a declarative configuration for an access scope.

Usage
$ roxctl declarative-config create access-scope [flags]
Table 6. Options
Option Description

--cluster-label-selector requirement

Specify the criteria for creating a label selector based on the cluster’s labels. The key-value pairs represent requirements, and you can use this flag multiple times to create a combination of requirements. The default value is [ [ ] ]. For more details, run the roxctl declarative-config create access-scope --help command.

--description string

Set a description for the access scope.

--included included-object

Specify a list of clusters and their namespaces that you want to include in the access scope. The default value is [null].

--name string

Specify the name of the access scope.

--namespace-label-selector requirement

Specify the criteria for creating a label selector based on the namespace’s labels. Similar to the cluster-label-selector, you can use this flag multiple times for the combination of requirements. For more details, run the roxctl declarative-config create access-scope --help command.

roxctl declarative-config create auth-provider

Create a declarative configuration for an authentication provider.

Usage
$ roxctl declarative-config create auth-provider [flags]
Table 7. Options
Option Description

--extra-ui-endpoints strings

Specify additional user interface (UI) endpoints from which the authentication provider is used. The expected format is <endpoint>:<port>.

--groups-key strings

Set the keys of the groups that you want to add within the authentication provider. The tuples of key, value and role should have the same length. For more details, run the roxctl declarative-config create auth-provider --help command.

--groups-role strings

Set the role of the groups that you want to add within the authentication provider. The tuples of key, value and role should have the same length. For more details, run the roxctl declarative-config create auth-provider --help command.

--groups-value strings

Set the values of the groups that you want to add within the authentication provider. The tuples of key, value and role should have the same length. For more details, run the roxctl declarative-config create auth-provider --help command.

--minimum-access-role string

Set the minimum access role of the authentication provider. You can leave this field empty if you do not want to configure the minimum access role by using the declarative configuration.

--name string

Specify the name of the authentication provider.

--required-attributes stringToString

Set a list of attributes that the authentication provider must return during authentication. The default value is [].

--ui-endpoint string

Set the UI endpoint from which the authentication provider is used. This is usually the public endpoint where RHACS is available. The expected format is <endpoint>:<port>.

roxctl declarative-config create permission-set

Create a declarative configuration for a permission set.

Usage
$ roxctl declarative-config create permission-set [flags]
Table 8. Options
Option Description

--description string

Set the description of the permission set.

--name string

Specify the name of the permission set.

--resource-with-access stringToString

Set a list of resources with their respective access levels. The default value is []. For more details, run the roxctl declarative-config create permission-set --help command.

roxctl declarative-config create notifier splunk

Create a declarative configuration for a splunk notifier.

Usage
$ roxctl declarative-config create notifier splunk [flags]
Table 9. Options
Option Description

--audit-logging

enable audit logging. The default value is false.

--source-types stringToString

Specify Splunk source types as comma-separated key=value pairs. The default value is [].

--splunk-endpoint string

Specify the Splunk HTTP endpoint. This is a mandatory option.

--splunk-skip-tls-verify

Use an insecure connection to Splunk. The default value is false.

--splunk-token string

Specify the Splunk HTTP token. This is a mandatory option.

--truncate int

Specify the Splunk truncate limit. The default value is 10000.

roxctl declarative-config create notifier generic

Create a declarative configuration for a generic notifier.

Usage
$ roxctl declarative-config create notifier generic [flags]
Table 10. Options
Option Description

--audit-logging

enable audit logging. The default value is false.

--extra-fields stringToString

Specify additional fields as comma-separated key=value pairs. The default value is [].

--headers stringToString

Specify headers as comma-separated key=value pairs. The default value is [].

--webhook-cacert-file string

Specify the file name of the endpoint CA certificate in PeM format.

--webhook-endpoint string

Specify the URL of the webhook endpoint.

--webhook-password string

Specify the password for basic authentication of the webhook endpoint. No authentication if not specified. Requires --webhook-username.

--webhook-skip-tls-verify

Skip webhook TLS verification. The default value is false.

--webhook-username string

Specify the username for basic authentication of the webhook endpoint. No authentication occurs if not specified. Requires --webhook-password.

roxctl declarative-config create auth-provider iap

Create a declarative configuration for an authentication provider with the identity-aware proxy (IAP) identifier.

Usage
$ roxctl declarative-config create auth-provider iap [flags]
Table 11. Options
Option Description

--audience string

Specify the target group that you want to validate.

roxctl declarative-config create auth-provider oidc

Create a declarative configuration for an OpenID Connect (OIDC) authentication provider.

Usage
$ roxctl declarative-config create auth-provider oidc [flags]
Table 12. Options
Option Description

--claim-mappings stringToString

Specify a list of non-standard claims from the identity provider (IdP) token that you want to include in the authentication provider’s rules. The default value is [].

--client-id string

Specify the client ID of the OIDC client.

--client-secret string

Specify the client secret of the OIDC client.

--disable-offline-access

Disable the request for the offline_access from the OIDC IdP. You need to use this option if the OIDC IdP limits the number of sessions with the offline_access scope. The default value is false.

--issuer string

Specify the issuer of the OIDC client.

--mode string

Specify the callback mode that you want to use. Valid values include auto, post, query and fragment. The default value is auto.

roxctl declarative-config create auth-provider saml

Create a declarative configuration for a SAML authentication provider.

Usage
$ roxctl declarative-config create auth-provider saml [flags]
Table 13. Options
Option Description

--idp-cert string

Specify the file containing the SAML identity provider (IdP) certificate in PeM format.

--idp-issuer string

Specify the issuer of the IdP.

--metadata-url string

Specify the metadata URL of the service provider.

--name-id-format string

Specify the format of the name ID.

--sp-issuer string

Specify the issuer of the service provider.

--sso-url string

Specify the URL of the IdP for single sign-on (SSO).

roxctl declarative-config create auth-provider userpki

Create a declarative configuration for an user PKI authentication provider.

Usage
$ roxctl declarative-config create auth-provider userpki [flags]
Table 14. Options
Option Description

--ca-file string

Specify the file containing the certification authorities in PeM format.

roxctl declarative-config create auth-provider openshift-auth

Create a declarative configuration for an OpenShift Container Platform OAuth authentication provider.

Usage
$ roxctl declarative-config create auth-provider openshift-auth [flags]