Kubectl auth: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 15: Line 15:
It could also reconcile rules for RBAC Role, RoleBinding, ClusterRole, and ClusterRole binding objects.
It could also reconcile rules for RBAC Role, RoleBinding, ClusterRole, and ClusterRole binding objects.


The identity used to perform the call can be changed via the [[Kubectl#--as|--as]] kubectl option:
The identity used to perform the call can be changed via the [[Kubectl#--as|--as kubectl option]]:


<syntaxhighlight lang='bash'>
<syntaxhighlight lang='bash'>

Revision as of 00:38, 5 September 2020

Internal

Overview

kubectl auth inspects authorization.

It can check whether an action is allowed with: 

kubectl auth can-i <verb> [<type>|<type>/<name>|<non-resource-url>

The verb is a logical Kubernetes API verb: "get", "list", "watch", "delete", etc. Type is a kubernetes resource. The name is the name of a particular resource.

It could also reconcile rules for RBAC Role, RoleBinding, ClusterRole, and ClusterRole binding objects.

The identity used to perform the call can be changed via the --as kubectl option: 

kubectl --as system:serviceaccount:blue:blue-sa auth can-i get pod my-pod

Usage Examples

Retrieved from "https://kb.novaordis.com/index.php?title=Kubectl_auth&oldid=68588"