OpenShift CLI administrator command reference

This reference provides descriptions and example commands for OpenShift CLI (oc) administrator commands. For developer commands, see the OpenShift CLI developer command reference.

Run oc adm help to list all administrator commands or run oc <command> --help to get additional details for a specific command.

OpenShift CLI (oc) administrator commands

oc adm build-chain

Output the inputs and dependencies of your builds

Example usage

  1. # Build the dependency tree for the 'latest' tag in <image-stream>
  2. oc adm build-chain <image-stream>
  3. # Build the dependency tree for the 'v2' tag in dot format and visualize it via the dot utility
  4. oc adm build-chain <image-stream>:v2 -o dot | dot -T svg -o deps.svg
  5. # Build the dependency tree across all namespaces for the specified image stream tag found in the 'test' namespace
  6. oc adm build-chain <image-stream> -n test --all

oc adm catalog mirror

Mirror an operator-registry catalog

Example usage

  1. # Mirror an operator-registry image and its contents to a registry
  2. oc adm catalog mirror quay.io/my/image:latest myregistry.com
  3. # Mirror an operator-registry image and its contents to a particular namespace in a registry
  4. oc adm catalog mirror quay.io/my/image:latest myregistry.com/my-namespace
  5. # Mirror to an airgapped registry by first mirroring to files
  6. oc adm catalog mirror quay.io/my/image:latest file:///local/index
  7. oc adm catalog mirror file:///local/index/my/image:latest my-airgapped-registry.com
  8. # Configure a cluster to use a mirrored registry
  9. oc apply -f manifests/imageContentSourcePolicy.yaml
  10. # Edit the mirroring mappings and mirror with "oc image mirror" manually
  11. oc adm catalog mirror --manifests-only quay.io/my/image:latest myregistry.com
  12. oc image mirror -f manifests/mapping.txt
  13. # Delete all ImageContentSourcePolicies generated by oc adm catalog mirror
  14. oc delete imagecontentsourcepolicy -l operators.openshift.org/catalog=true

oc adm completion

Output shell completion code for the specified shell (bash or zsh)

Example usage

  1. # Installing bash completion on macOS using homebrew
  2. ## If running Bash 3.2 included with macOS
  3. brew install bash-completion
  4. ## or, if running Bash 4.1+
  5. brew install bash-completion@2
  6. ## If oc is installed via homebrew, this should start working immediately.
  7. ## If you've installed via other means, you may need add the completion to your completion directory
  8. oc completion bash > $(brew --prefix)/etc/bash_completion.d/oc
  9. # Installing bash completion on Linux
  10. ## If bash-completion is not installed on Linux, please install the 'bash-completion' package
  11. ## via your distribution's package manager.
  12. ## Load the oc completion code for bash into the current shell
  13. source <(oc completion bash)
  14. ## Write bash completion code to a file and source it from .bash_profile
  15. oc completion bash > ~/.kube/completion.bash.inc
  16. printf "
  17. # Kubectl shell completion
  18. source '$HOME/.kube/completion.bash.inc'
  19. " >> $HOME/.bash_profile
  20. source $HOME/.bash_profile
  21. # Load the oc completion code for zsh[1] into the current shell
  22. source <(oc completion zsh)
  23. # Set the oc completion code for zsh[1] to autoload on startup
  24. oc completion zsh > "${fpath[1]}/_oc"

oc adm config current-context

Displays the current-context

Example usage

  1. # Display the current-context
  2. oc config current-context

oc adm config delete-cluster

Delete the specified cluster from the kubeconfig

Example usage

  1. # Delete the minikube cluster
  2. oc config delete-cluster minikube

oc adm config delete-context

Delete the specified context from the kubeconfig

Example usage

  1. # Delete the context for the minikube cluster
  2. oc config delete-context minikube

oc adm config delete-user

Delete the specified user from the kubeconfig

Example usage

  1. # Delete the minikube user
  2. oc config delete-user minikube

oc adm config get-clusters

Display clusters defined in the kubeconfig

Example usage

  1. # List the clusters oc knows about
  2. oc config get-clusters

oc adm config get-contexts

Describe one or many contexts

Example usage

  1. # List all the contexts in your kubeconfig file
  2. oc config get-contexts
  3. # Describe one context in your kubeconfig file.
  4. oc config get-contexts my-context

oc adm config get-users

Display users defined in the kubeconfig

Example usage

  1. # List the users oc knows about
  2. oc config get-users

oc adm config rename-context

Renames a context from the kubeconfig file.

Example usage

  1. # Rename the context 'old-name' to 'new-name' in your kubeconfig file
  2. oc config rename-context old-name new-name

oc adm config set

Sets an individual value in a kubeconfig file

Example usage

  1. # Set server field on the my-cluster cluster to https://1.2.3.4
  2. oc config set clusters.my-cluster.server https://1.2.3.4
  3. # Set certificate-authority-data field on the my-cluster cluster.
  4. oc config set clusters.my-cluster.certificate-authority-data $(echo "cert_data_here" | base64 -i -)
  5. # Set cluster field in the my-context context to my-cluster.
  6. oc config set contexts.my-context.cluster my-cluster
  7. # Set client-key-data field in the cluster-admin user using --set-raw-bytes option.
  8. oc config set users.cluster-admin.client-key-data cert_data_here --set-raw-bytes=true

oc adm config set-cluster

Sets a cluster entry in kubeconfig

Example usage

  1. # Set only the server field on the e2e cluster entry without touching other values.
  2. oc config set-cluster e2e --server=https://1.2.3.4
  3. # Embed certificate authority data for the e2e cluster entry
  4. oc config set-cluster e2e --embed-certs --certificate-authority=~/.kube/e2e/kubernetes.ca.crt
  5. # Disable cert checking for the dev cluster entry
  6. oc config set-cluster e2e --insecure-skip-tls-verify=true
  7. # Set custom TLS server name to use for validation for the e2e cluster entry
  8. oc config set-cluster e2e --tls-server-name=my-cluster-name

oc adm config set-context

Sets a context entry in kubeconfig

Example usage

  1. # Set the user field on the gce context entry without touching other values
  2. oc config set-context gce --user=cluster-admin

oc adm config set-credentials

Sets a user entry in kubeconfig

Example usage

  1. # Set only the "client-key" field on the "cluster-admin"
  2. # entry, without touching other values:
  3. oc config set-credentials cluster-admin --client-key=~/.kube/admin.key
  4. # Set basic auth for the "cluster-admin" entry
  5. oc config set-credentials cluster-admin --username=admin --password=uXFGweU9l35qcif
  6. # Embed client certificate data in the "cluster-admin" entry
  7. oc config set-credentials cluster-admin --client-certificate=~/.kube/admin.crt --embed-certs=true
  8. # Enable the Google Compute Platform auth provider for the "cluster-admin" entry
  9. oc config set-credentials cluster-admin --auth-provider=gcp
  10. # Enable the OpenID Connect auth provider for the "cluster-admin" entry with additional args
  11. oc config set-credentials cluster-admin --auth-provider=oidc --auth-provider-arg=client-id=foo --auth-provider-arg=client-secret=bar
  12. # Remove the "client-secret" config value for the OpenID Connect auth provider for the "cluster-admin" entry
  13. oc config set-credentials cluster-admin --auth-provider=oidc --auth-provider-arg=client-secret-
  14. # Enable new exec auth plugin for the "cluster-admin" entry
  15. oc config set-credentials cluster-admin --exec-command=/path/to/the/executable --exec-api-version=client.authentication.k8s.io/v1beta1
  16. # Define new exec auth plugin args for the "cluster-admin" entry
  17. oc config set-credentials cluster-admin --exec-arg=arg1 --exec-arg=arg2
  18. # Create or update exec auth plugin environment variables for the "cluster-admin" entry
  19. oc config set-credentials cluster-admin --exec-env=key1=val1 --exec-env=key2=val2
  20. # Remove exec auth plugin environment variables for the "cluster-admin" entry
  21. oc config set-credentials cluster-admin --exec-env=var-to-remove-

oc adm config unset

Unsets an individual value in a kubeconfig file

Example usage

  1. # Unset the current-context.
  2. oc config unset current-context
  3. # Unset namespace in foo context.
  4. oc config unset contexts.foo.namespace

oc adm config use-context

Sets the current-context in a kubeconfig file

Example usage

  1. # Use the context for the minikube cluster
  2. oc config use-context minikube

oc adm config view

Display merged kubeconfig settings or a specified kubeconfig file

Example usage

  1. # Show merged kubeconfig settings.
  2. oc config view
  3. # Show merged kubeconfig settings and raw certificate data.
  4. oc config view --raw
  5. # Get the password for the e2e user
  6. oc config view -o jsonpath='{.users[?(@.name == "e2e")].user.password}'

oc adm cordon

Mark node as unschedulable

Example usage

  1. # Mark node "foo" as unschedulable.
  2. oc adm cordon foo

oc adm create-bootstrap-project-template

Create a bootstrap project template

Example usage

  1. # Output a bootstrap project template in YAML format to stdout
  2. oc adm create-bootstrap-project-template -o yaml

oc adm create-error-template

Create an error page template

Example usage

  1. # Output a template for the error page to stdout
  2. oc adm create-error-template

oc adm create-login-template

Create a login template

Example usage

  1. # Output a template for the login page to stdout
  2. oc adm create-login-template

oc adm create-provider-selection-template

Create a provider selection template

Example usage

  1. # Output a template for the provider selection page to stdout
  2. oc adm create-provider-selection-template

oc adm drain

Drain node in preparation for maintenance

Example usage

  1. # Drain node "foo", even if there are pods not managed by a ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet on it.
  2. $ oc adm drain foo --force
  3. # As above, but abort if there are pods not managed by a ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet, and use a grace period of 15 minutes.
  4. $ oc adm drain foo --grace-period=900

oc adm groups add-users

Add users to a group

Example usage

  1. # Add user1 and user2 to my-group
  2. oc adm groups add-users my-group user1 user2

oc adm groups new

Create a new group

Example usage

  1. # Add a group with no users
  2. oc adm groups new my-group
  3. # Add a group with two users
  4. oc adm groups new my-group user1 user2
  5. # Add a group with one user and shorter output
  6. oc adm groups new my-group user1 -o name

oc adm groups prune

Remove old OpenShift groups referencing missing records from an external provider

Example usage

  1. # Prune all orphaned groups
  2. oc adm groups prune --sync-config=/path/to/ldap-sync-config.yaml --confirm
  3. # Prune all orphaned groups except the ones from the blacklist file
  4. oc adm groups prune --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
  5. # Prune all orphaned groups from a list of specific groups specified in a whitelist file
  6. oc adm groups prune --whitelist=/path/to/whitelist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
  7. # Prune all orphaned groups from a list of specific groups specified in a whitelist
  8. oc adm groups prune groups/group_name groups/other_name --sync-config=/path/to/ldap-sync-config.yaml --confirm

oc adm groups remove-users

Remove users from a group

Example usage

  1. # Remove user1 and user2 from my-group
  2. oc adm groups remove-users my-group user1 user2

oc adm groups sync

Sync OpenShift groups with records from an external provider

Example usage

  1. # Sync all groups with an LDAP server
  2. oc adm groups sync --sync-config=/path/to/ldap-sync-config.yaml --confirm
  3. # Sync all groups except the ones from the blacklist file with an LDAP server
  4. oc adm groups sync --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
  5. # Sync specific groups specified in a whitelist file with an LDAP server
  6. oc adm groups sync --whitelist=/path/to/whitelist.txt --sync-config=/path/to/sync-config.yaml --confirm
  7. # Sync all OpenShift groups that have been synced previously with an LDAP server
  8. oc adm groups sync --type=openshift --sync-config=/path/to/ldap-sync-config.yaml --confirm
  9. # Sync specific OpenShift groups if they have been synced previously with an LDAP server
  10. oc adm groups sync groups/group1 groups/group2 groups/group3 --sync-config=/path/to/sync-config.yaml --confirm

oc adm inspect

Collect debugging data for a given resource

Example usage

  1. # Collect debugging data for the "openshift-apiserver" clusteroperator
  2. oc adm inspect clusteroperator/openshift-apiserver
  3. # Collect debugging data for the "openshift-apiserver" and "kube-apiserver" clusteroperators
  4. oc adm inspect clusteroperator/openshift-apiserver clusteroperator/kube-apiserver
  5. # Collect debugging data for all clusteroperators
  6. oc adm inspect clusteroperator
  7. # Collect debugging data for all clusteroperators and clusterversions
  8. oc adm inspect clusteroperators,clusterversions

oc adm migrate template-instances

Update template instances to point to the latest group-version-kinds

Example usage

  1. # Perform a dry-run of updating all objects
  2. oc adm migrate template-instances
  3. # To actually perform the update, the confirm flag must be appended
  4. oc adm migrate template-instances --confirm

oc adm must-gather

Launch a new instance of a pod for gathering debug information

Example usage

  1. # Gather information using the default plug-in image and command, writing into ./must-gather.local.<rand>
  2. oc adm must-gather
  3. # Gather information with a specific local folder to copy to
  4. oc adm must-gather --dest-dir=/local/directory
  5. # Gather audit information
  6. oc adm must-gather -- /usr/bin/gather_audit_logs
  7. # Gather information using multiple plug-in images
  8. oc adm must-gather --image=quay.io/kubevirt/must-gather --image=quay.io/openshift/origin-must-gather
  9. # Gather information using a specific image stream plug-in
  10. oc adm must-gather --image-stream=openshift/must-gather:latest
  11. # Gather information using a specific image, command, and pod-dir
  12. oc adm must-gather --image=my/image:tag --source-dir=/pod/directory -- myspecial-command.sh

oc adm new-project

Create a new project

Example usage

  1. # Create a new project using a node selector
  2. oc adm new-project myproject --node-selector='type=user-node,region=east'

oc adm node-logs

Display and filter node logs

Example usage

  1. # Show kubelet logs from all masters
  2. oc adm node-logs --role master -u kubelet
  3. # See what logs are available in masters in /var/logs
  4. oc adm node-logs --role master --path=/
  5. # Display cron log file from all masters
  6. oc adm node-logs --role master --path=cron

oc adm pod-network isolate-projects

Isolate project network

Example usage

  1. # Provide isolation for project p1
  2. oc adm pod-network isolate-projects <p1>
  3. # Allow all projects with label name=top-secret to have their own isolated project network
  4. oc adm pod-network isolate-projects --selector='name=top-secret'

oc adm pod-network join-projects

Join project network

Example usage

  1. # Allow project p2 to use project p1 network
  2. oc adm pod-network join-projects --to=<p1> <p2>
  3. # Allow all projects with label name=top-secret to use project p1 network
  4. oc adm pod-network join-projects --to=<p1> --selector='name=top-secret'

oc adm pod-network make-projects-global

Make project network global

Example usage

  1. # Allow project p1 to access all pods in the cluster and vice versa
  2. oc adm pod-network make-projects-global <p1>
  3. # Allow all projects with label name=share to access all pods in the cluster and vice versa
  4. oc adm pod-network make-projects-global --selector='name=share'

oc adm policy add-role-to-user

Add a role to users or service accounts for the current project

Example usage

  1. # Add the 'view' role to user1 for the current project
  2. oc policy add-role-to-user view user1
  3. # Add the 'edit' role to serviceaccount1 for the current project
  4. oc policy add-role-to-user edit -z serviceaccount1

oc adm policy add-scc-to-group

Add a security context constraint to groups

Example usage

  1. # Add the 'restricted' security context constraint to group1 and group2
  2. oc adm policy add-scc-to-group restricted group1 group2

oc adm policy add-scc-to-user

Add a security context constraint to users or a service account

Example usage

  1. # Add the 'restricted' security context constraint to user1 and user2
  2. oc adm policy add-scc-to-user restricted user1 user2
  3. # Add the 'privileged' security context constraint to serviceaccount1 in the current namespace
  4. oc adm policy add-scc-to-user privileged -z serviceaccount1

oc adm policy scc-review

Check which service account can create a pod

Example usage

  1. # Check whether service accounts sa1 and sa2 can admit a pod with a template pod spec specified in my_resource.yaml
  2. # Service Account specified in myresource.yaml file is ignored
  3. oc policy scc-review -z sa1,sa2 -f my_resource.yaml
  4. # Check whether service accounts system:serviceaccount:bob:default can admit a pod with a template pod spec specified in my_resource.yaml
  5. oc policy scc-review -z system:serviceaccount:bob:default -f my_resource.yaml
  6. # Check whether the service account specified in my_resource_with_sa.yaml can admit the pod
  7. oc policy scc-review -f my_resource_with_sa.yaml
  8. # Check whether the default service account can admit the pod; default is taken since no service account is defined in myresource_with_no_sa.yaml
  9. oc policy scc-review -f myresource_with_no_sa.yaml

oc adm policy scc-subject-review

Check whether a user or a service account can create a pod

Example usage

  1. # Check whether user bob can create a pod specified in myresource.yaml
  2. oc policy scc-subject-review -u bob -f myresource.yaml
  3. # Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml
  4. oc policy scc-subject-review -u bob -g projectAdmin -f myresource.yaml
  5. # Check whether a service account specified in the pod template spec in myresourcewithsa.yaml can create the pod
  6. oc policy scc-subject-review -f myresourcewithsa.yaml

oc adm prune builds

Remove old completed and failed builds

Example usage

  1. # Dry run deleting older completed and failed builds and also including
  2. # all builds whose associated build config no longer exists
  3. oc adm prune builds --orphans
  4. # To actually perform the prune operation, the confirm flag must be appended
  5. oc adm prune builds --orphans --confirm

oc adm prune deployments

Remove old completed and failed deployment configs

Example usage

  1. # Dry run deleting all but the last complete deployment for every deployment config
  2. oc adm prune deployments --keep-complete=1
  3. # To actually perform the prune operation, the confirm flag must be appended
  4. oc adm prune deployments --keep-complete=1 --confirm

oc adm prune groups

Remove old OpenShift groups referencing missing records from an external provider

Example usage

  1. # Prune all orphaned groups
  2. oc adm prune groups --sync-config=/path/to/ldap-sync-config.yaml --confirm
  3. # Prune all orphaned groups except the ones from the blacklist file
  4. oc adm prune groups --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
  5. # Prune all orphaned groups from a list of specific groups specified in a whitelist file
  6. oc adm prune groups --whitelist=/path/to/whitelist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
  7. # Prune all orphaned groups from a list of specific groups specified in a whitelist
  8. oc adm prune groups groups/group_name groups/other_name --sync-config=/path/to/ldap-sync-config.yaml --confirm

oc adm prune images

Remove unreferenced images

Example usage

  1. # See what the prune command would delete if only images and their referrers were more than an hour old
  2. # and obsoleted by 3 newer revisions under the same tag were considered
  3. oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m
  4. # To actually perform the prune operation, the confirm flag must be appended
  5. oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m --confirm
  6. # See what the prune command would delete if we are interested in removing images
  7. # exceeding currently set limit ranges ('openshift.io/Image')
  8. oc adm prune images --prune-over-size-limit
  9. # To actually perform the prune operation, the confirm flag must be appended
  10. oc adm prune images --prune-over-size-limit --confirm
  11. # Force the insecure http protocol with the particular registry host name
  12. oc adm prune images --registry-url=http://registry.example.org --confirm
  13. # Force a secure connection with a custom certificate authority to the particular registry host name
  14. oc adm prune images --registry-url=registry.example.org --certificate-authority=/path/to/custom/ca.crt --confirm

oc adm release extract

Extract the contents of an update payload to disk

Example usage

  1. # Use git to check out the source code for the current cluster release to DIR
  2. oc adm release extract --git=DIR
  3. # Extract cloud credential requests for AWS
  4. oc adm release extract --credentials-requests --cloud=aws

oc adm release info

Display information about a release

Example usage

  1. # Show information about the cluster's current release
  2. oc adm release info
  3. # Show the source code that comprises a release
  4. oc adm release info 4.2.2 --commit-urls
  5. # Show the source code difference between two releases
  6. oc adm release info 4.2.0 4.2.2 --commits
  7. # Show where the images referenced by the release are located
  8. oc adm release info quay.io/openshift-release-dev/ocp-release:4.2.2 --pullspecs

oc adm release mirror

Mirror a release to a different image registry location

Example usage

  1. # Perform a dry run showing what would be mirrored, including the mirror objects
  2. oc adm release mirror 4.3.0 --to myregistry.local/openshift/release \
  3. --release-image-signature-to-dir /tmp/releases --dry-run
  4. # Mirror a release into the current directory
  5. oc adm release mirror 4.3.0 --to file://openshift/release \
  6. --release-image-signature-to-dir /tmp/releases
  7. # Mirror a release to another directory in the default location
  8. oc adm release mirror 4.3.0 --to-dir /tmp/releases
  9. # Upload a release from the current directory to another server
  10. oc adm release mirror --from file://openshift/release --to myregistry.com/openshift/release \
  11. --release-image-signature-to-dir /tmp/releases
  12. # Mirror the 4.3.0 release to repository registry.example.com and apply signatures to connected cluster
  13. oc adm release mirror --from=quay.io/openshift-release-dev/ocp-release:4.3.0-x86_64 \
  14. --to=registry.example.com/your/repository --apply-release-image-signature

oc adm release new

Create a new OpenShift release

Example usage

  1. # Create a release from the latest origin images and push to a DockerHub repo
  2. oc adm release new --from-image-stream=4.1 -n origin --to-image docker.io/mycompany/myrepo:latest
  3. # Create a new release with updated metadata from a previous release
  4. oc adm release new --from-release registry.svc.ci.openshift.org/origin/release:v4.1 --name 4.1.1 \
  5. --previous 4.1.0 --metadata ... --to-image docker.io/mycompany/myrepo:latest
  6. # Create a new release and override a single image
  7. oc adm release new --from-release registry.svc.ci.openshift.org/origin/release:v4.1 \
  8. cli=docker.io/mycompany/cli:latest --to-image docker.io/mycompany/myrepo:latest
  9. # Run a verification pass to ensure the release can be reproduced
  10. oc adm release new --from-release registry.svc.ci.openshift.org/origin/release:v4.1

oc adm taint

Update the taints on one or more nodes

Example usage

  1. # Update node 'foo' with a taint with key 'dedicated' and value 'special-user' and effect 'NoSchedule'.
  2. # If a taint with that key and effect already exists, its value is replaced as specified.
  3. oc adm taint nodes foo dedicated=special-user:NoSchedule
  4. # Remove from node 'foo' the taint with key 'dedicated' and effect 'NoSchedule' if one exists.
  5. oc adm taint nodes foo dedicated:NoSchedule-
  6. # Remove from node 'foo' all the taints with key 'dedicated'
  7. oc adm taint nodes foo dedicated-
  8. # Add a taint with key 'dedicated' on nodes having label mylabel=X
  9. oc adm taint node -l myLabel=X dedicated=foo:PreferNoSchedule
  10. # Add to node 'foo' a taint with key 'bar' and no value
  11. oc adm taint nodes foo bar:NoSchedule

oc adm top images

Show usage statistics for images

Example usage

  1. # Show usage statistics for images
  2. oc adm top images

oc adm top imagestreams

Show usage statistics for image streams

Example usage

  1. # Show usage statistics for image streams
  2. oc adm top imagestreams

oc adm top node

Display Resource (CPU/Memory) usage of nodes

Example usage

  1. # Show metrics for all nodes
  2. oc adm top node
  3. # Show metrics for a given node
  4. oc adm top node NODE_NAME

oc adm top pod

Display Resource (CPU/Memory) usage of pods

Example usage

  1. # Show metrics for all pods in the default namespace
  2. oc adm top pod
  3. # Show metrics for all pods in the given namespace
  4. oc adm top pod --namespace=NAMESPACE
  5. # Show metrics for a given pod and its containers
  6. oc adm top pod POD_NAME --containers
  7. # Show metrics for the pods defined by label name=myLabel
  8. oc adm top pod -l name=myLabel

oc adm uncordon

Mark node as schedulable

Example usage

  1. # Mark node "foo" as schedulable.
  2. $ oc adm uncordon foo

oc adm verify-image-signature

Verify the image identity contained in the image signature

Example usage

  1. # Verify the image signature and identity using the local GPG keychain
  2. oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
  3. --expected-identity=registry.local:5000/foo/bar:v1
  4. # Verify the image signature and identity using the local GPG keychain and save the status
  5. oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
  6. --expected-identity=registry.local:5000/foo/bar:v1 --save
  7. # Verify the image signature and identity via exposed registry route
  8. oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
  9. --expected-identity=registry.local:5000/foo/bar:v1 \
  10. --registry-url=docker-registry.foo.com
  11. # Remove all signature verifications from the image
  12. oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 --remove-all

Additional resources