1 minute read

Kubectl Auth

Kubectl Auth

To Inspect authorization, we can make use of kubectl auth command. It will show an yes or no. Here is the related help and examples.

pradeep@learnk8s$ kubectl auth can-i -h
Check whether an action is allowed.

 VERB is a logical Kubernetes API verb like 'get', 'list', 'watch', 'delete', etc. TYPE is a Kubernetes resource.
Shortcuts and groups will be resolved. NONRESOURCEURL is a partial URL that starts with "/". NAME is the name of a
particular Kubernetes resource. This command pairs nicely with impersonation. See --as global flag.

Examples:
  # Check to see if I can create pods in any namespace
  kubectl auth can-i create pods --all-namespaces

  # Check to see if I can list deployments in my current namespace
  kubectl auth can-i list deployments.apps

  # Check to see if I can do everything in my current namespace ("*" means all)
  kubectl auth can-i '*' '*'

  # Check to see if I can get the job named "bar" in namespace "foo"
  kubectl auth can-i list jobs.batch/bar -n foo

  # Check to see if I can read pod logs
  kubectl auth can-i get pods --subresource=log

  # Check to see if I can access the URL /logs/
  kubectl auth can-i get /logs/

  # List all allowed actions in namespace "foo"
  kubectl auth can-i --list --namespace=foo

Options:
  -A, --all-namespaces=false: If true, check the specified action in all namespaces.
      --list=false: If true, prints all allowed actions.
      --no-headers=false: If true, prints allowed actions without headers
  -q, --quiet=false: If true, suppress output and just return the exit code.
      --subresource='': SubResource such as pod/log or deployment/scale

Usage:
  kubectl auth can-i VERB [TYPE | TYPE/NAME | NONRESOURCEURL] [options]

Use "kubectl options" for a list of global command-line options (applies to all commands).

For example, from the pradeep context,

pradeep@learnk8s$ kubectl config get-contexts
CURRENT   NAME      CLUSTER   AUTHINFO   NAMESPACE
          k8s       k8s       k8s        default
*         pradeep   k8s       pradeep
pradeep@learnk8s$ kubectl auth can-i '*' '*'
no

From the k8s context,

pradeep@learnk8s$ kubectl config get-contexts
CURRENT   NAME      CLUSTER   AUTHINFO   NAMESPACE
*         k8s       k8s       k8s        default
          pradeep   k8s       pradeep
pradeep@learnk8s$ kubectl auth can-i '*' '*'
yes
Back to Top ↑