Kubectl auth: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
No edit summary
No edit summary
 
(4 intermediate revisions by the same user not shown)
Line 8: Line 8:
It can check whether an action is allowed with:
It can check whether an action is allowed with:
<syntaxhighlight lang='bash'>
<syntaxhighlight lang='bash'>
kubectl auth can-i <verb> [<type>|<type>/<name>|<non-resource-url>
kubectl [-n <non-default-namespace>] auth can-i <verb> [<type>|<type>/<name>|<non-resource-url>
</syntaxhighlight>
</syntaxhighlight>


Line 14: Line 14:


It could also reconcile rules for RBAC Role, RoleBinding, ClusterRole, and ClusterRole binding objects.
It could also reconcile rules for RBAC Role, RoleBinding, ClusterRole, and ClusterRole binding objects.
The identity used to perform the call can be changed via the [[Kubectl#--as|--as kubectl option]]:
<syntaxhighlight lang='bash'>
kubectl -n blue --as system:serviceaccount:blue:blue-sa auth can-i get pod my-pod
</syntaxhighlight>


=Usage Examples=
=Usage Examples=


* [[Kubernetes_Security_Operations#Authorization_Check|Authorization checks]]
Namespaces:
<syntaxhighlight lang='yaml'>
kubectl --as system:serviceaccount:test-ns:default auth can-i get ns
</syntaxhighlight>
Namespace:
<syntaxhighlight lang='yaml'>
kubectl --as system:serviceaccount:test-ns:default auth can-i get ns/some-namespace
</syntaxhighlight>
 
Also see: {{Internal|Kubernetes_Security_Operations#Authorization_Check|Authorization checks}}

Latest revision as of 21:31, 3 November 2020

Internal

Overview

kubectl auth inspects authorization.

It can check whether an action is allowed with: 

kubectl [-n <non-default-namespace>] auth can-i <verb> [<type>|<type>/<name>|<non-resource-url>

The verb is a logical Kubernetes API verb: "get", "list", "watch", "delete", etc. Type is a kubernetes resource. The name is the name of a particular resource.

It could also reconcile rules for RBAC Role, RoleBinding, ClusterRole, and ClusterRole binding objects.

The identity used to perform the call can be changed via the --as kubectl option: 

kubectl -n blue --as system:serviceaccount:blue:blue-sa auth can-i get pod my-pod

Usage Examples

Namespaces: 

kubectl --as system:serviceaccount:test-ns:default auth can-i get ns

Namespace: 

kubectl --as system:serviceaccount:test-ns:default auth can-i get ns/some-namespace

Also see:

Authorization checks
Retrieved from "https://kb.novaordis.com/index.php?title=Kubectl_auth&oldid=72808"