Kubectl auth

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

Internal

Overview

kubectl auth inspects authorization.

It can check whether an action is allowed with: 

kubectl [-n <non-default-namespace>] auth can-i <verb> [<type>|<type>/<name>|<non-resource-url>

The verb is a logical Kubernetes API verb: "get", "list", "watch", "delete", etc. Type is a kubernetes resource. The name is the name of a particular resource.

It could also reconcile rules for RBAC Role, RoleBinding, ClusterRole, and ClusterRole binding objects.

The identity used to perform the call can be changed via the --as kubectl option: 

kubectl -n blue --as system:serviceaccount:blue:blue-sa auth can-i get pod my-pod

Usage Examples

Namespaces: 

kubectl --as system:serviceaccount:test-ns:default auth can-i get ns

Namespace: 

kubectl --as system:serviceaccount:test-ns:default auth can-i get ns/some-namespace

Also see:

Authorization checks
Retrieved from "https://kb.novaordis.com/index.php?title=Kubectl_auth&oldid=72808"