Kubectl auth: Difference between revisions
Jump to navigation
Jump to search
Line 15: | Line 15: | ||
It could also reconcile rules for RBAC Role, RoleBinding, ClusterRole, and ClusterRole binding objects. | It could also reconcile rules for RBAC Role, RoleBinding, ClusterRole, and ClusterRole binding objects. | ||
The identity used to perform the call can be changed via the [[Kubectl#--as|--as]] | The identity used to perform the call can be changed via the [[Kubectl#--as|--as kubectl option]]: | ||
<syntaxhighlight lang='bash'> | <syntaxhighlight lang='bash'> |
Revision as of 00:38, 5 September 2020
Internal
Overview
kubectl auth
inspects authorization.
It can check whether an action is allowed with:
kubectl auth can-i <verb> [<type>|<type>/<name>|<non-resource-url>
The verb is a logical Kubernetes API verb: "get", "list", "watch", "delete", etc. Type is a kubernetes resource. The name is the name of a particular resource.
It could also reconcile rules for RBAC Role, RoleBinding, ClusterRole, and ClusterRole binding objects.
The identity used to perform the call can be changed via the --as kubectl option:
kubectl --as system:serviceaccount:blue:blue-sa auth can-i get pod my-pod