Portal CLI reference¶
Auto-generated by portal docgen. Do not edit by hand — run make generate-docs to refresh.
portal¶
portal¶
Portal — Kubernetes admission, audit, NetworkPolicy and response-action engine
Synopsis¶
Portal evaluates expr-lang rules against Kubernetes resources at admission time and continuously over informer-driven audit, dispatches response actions, and analyses NetworkPolicy graphs declaratively.
Options¶
SEE ALSO¶
- portal completion - Generate the autocompletion script for the specified shell
- portal init-certs - Generate webhook TLS material and inject the CA bundle into the ValidatingWebhookConfiguration
- portal migrate-rules - Convert podwatcher-poc SpEL rules into Portal expr-lang rules
- portal run - Run Portal (admission webhook, audit loop, network analyser)
portal completion¶
portal completion¶
Generate the autocompletion script for the specified shell
Synopsis¶
Generate the autocompletion script for portal for the specified shell. See each sub-command's help for details on how to use the generated script.
Options¶
SEE ALSO¶
- portal - Portal — Kubernetes admission, audit, NetworkPolicy and response-action engine
- portal completion bash - Generate the autocompletion script for bash
- portal completion fish - Generate the autocompletion script for fish
- portal completion powershell - Generate the autocompletion script for powershell
- portal completion zsh - Generate the autocompletion script for zsh
portal completion bash¶
portal completion bash¶
Generate the autocompletion script for bash
Synopsis¶
Generate the autocompletion script for the bash shell.
This script depends on the 'bash-completion' package. If it is not installed already, you can install it via your OS's package manager.
To load completions in your current shell session:
source <(portal completion bash)
To load completions for every new session, execute once:
Linux:¶
portal completion bash > /etc/bash_completion.d/portal
macOS:¶
portal completion bash > $(brew --prefix)/etc/bash_completion.d/portal
You will need to start a new shell for this setup to take effect.
Options¶
SEE ALSO¶
- portal completion - Generate the autocompletion script for the specified shell
portal completion fish¶
portal completion fish¶
Generate the autocompletion script for fish
Synopsis¶
Generate the autocompletion script for the fish shell.
To load completions in your current shell session:
portal completion fish | source
To load completions for every new session, execute once:
portal completion fish > ~/.config/fish/completions/portal.fish
You will need to start a new shell for this setup to take effect.
Options¶
SEE ALSO¶
- portal completion - Generate the autocompletion script for the specified shell
portal completion powershell¶
portal completion powershell¶
Generate the autocompletion script for powershell
Synopsis¶
Generate the autocompletion script for powershell.
To load completions in your current shell session:
portal completion powershell | Out-String | Invoke-Expression
To load completions for every new session, add the output of the above command to your powershell profile.
Options¶
SEE ALSO¶
- portal completion - Generate the autocompletion script for the specified shell
portal completion zsh¶
portal completion zsh¶
Generate the autocompletion script for zsh
Synopsis¶
Generate the autocompletion script for the zsh shell.
If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:
echo "autoload -U compinit; compinit" >> ~/.zshrc
To load completions in your current shell session:
source <(portal completion zsh)
To load completions for every new session, execute once:
Linux:¶
portal completion zsh > "${fpath[1]}/_portal"
macOS:¶
portal completion zsh > $(brew --prefix)/share/zsh/site-functions/_portal
You will need to start a new shell for this setup to take effect.
Options¶
SEE ALSO¶
- portal completion - Generate the autocompletion script for the specified shell
portal help¶
portal help¶
Help about any command
Synopsis¶
Help provides help for any command in the application. Simply type portal help [path to command] for full details.
Options¶
SEE ALSO¶
- portal - Portal — Kubernetes admission, audit, NetworkPolicy and response-action engine
portal init-certs¶
portal init-certs¶
Generate webhook TLS material and inject the CA bundle into the ValidatingWebhookConfiguration
Synopsis¶
init-certs is the cert-bootstrap step for Portal installs that do not use cert-manager. It is invoked from a Pod-level init-container in the Helm chart.
The command is idempotent: if the named Secret already holds a valid cert that is not within the renewal window, only the ValidatingWebhookConfig's caBundle is patched (a no-op when already correct). Otherwise a fresh self-signed CA + leaf are generated, the Secret is written in place, and the caBundle is patched.
The generated cert is mirrored to --cert-dir so the main container's filesystem mount reads the new material regardless of kubelet's Secret volume refresh timing.
Options¶
--cert-dir string local path to mirror cert material to (typically a shared emptyDir) (default "/etc/portal/certs")
--dns strings additional DNS SANs to include on the leaf certificate
-h, --help help for init-certs
--kubeconfig string kubeconfig path (defaults to in-cluster)
--namespace string namespace containing the TLS Secret (default "portal-system")
--secret string name of the kubernetes.io/tls Secret to read/upsert (default "portal-webhook-cert")
--service string Service name; DNS SANs are derived as <svc>.<ns>.svc, <svc>.<ns>.svc.cluster.local (default "portal")
--webhook-config string name of the ValidatingWebhookConfiguration to inject caBundle into (default "portal")
SEE ALSO¶
- portal - Portal — Kubernetes admission, audit, NetworkPolicy and response-action engine
portal migrate-rules¶
portal migrate-rules¶
Convert podwatcher-poc SpEL rules into Portal expr-lang rules
Synopsis¶
Rewrites SpEL→expr-lang differences ({...}.contains(x) → x in [...], .contains('y') → 'y' in ..., filter.namespace → match.namespaces) and emits either one PortalClusterRule manifest per rule (--format=cr, default) or folder-format rule YAML (--format=folder). Idempotent on Portal-format input.
Options¶
--dry-run print rewritten content to stdout instead of writing
--format string output format: cr | folder (default "cr")
-h, --help help for migrate-rules
-o, --output string output directory (default: <input>-portal)
SEE ALSO¶
- portal - Portal — Kubernetes admission, audit, NetworkPolicy and response-action engine
portal run¶
portal run¶
Run Portal (admission webhook, audit loop, network analyser)
Options¶
--admission enable admission webhook layer (default true)
--alertmanager-url string AlertManager v2 alerts endpoint; empty disables the AlertManager sink
--audit enable informer-driven audit layer
--cert-dir string directory containing tls.crt / tls.key (auto-generated when missing) (default "/etc/portal/certs")
--fail-closed advisory: report whether deployment expects failClosed semantics (default true)
-h, --help help for run
--install-namespace string Portal's own namespace — excluded from the webhook and used as the lease lock namespace (default "portal-system")
--kubeconfig string kubeconfig path (defaults to in-cluster)
--leader-election use lease-based leader election for the audit loop (default true)
--listen string TLS webhook listen address (default ":8443")
--metrics-addr string Prometheus /metrics + /healthz listen address (default ":9090")
--network enable NetworkPolicy analyser layer (implies --audit)
--policy-report emit wgpolicyk8s.io PolicyReport / ClusterPolicyReport resources (default true)
--rules-cr load PortalClusterRule/PortalRule CRs (default true)
--rules-folder string load rules from a filesystem folder (in addition to CRDs)
--watched-gvk strings additional GVKs to watch (group/version/kind; empty group for core, e.g. /v1/ConfigMap)
--webhook-dns strings DNS names to include in the self-signed webhook certificate
SEE ALSO¶
- portal - Portal — Kubernetes admission, audit, NetworkPolicy and response-action engine