Kubectl auth: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| (2 intermediate revisions by the same user not shown) | |||
| Line 8: | Line 8: | ||
It can check whether an action is allowed with: | It can check whether an action is allowed with: | ||
<syntaxhighlight lang='bash'> | <syntaxhighlight lang='bash'> | ||
kubectl auth can-i <verb> [<type>|<type>/<name>|<non-resource-url> | kubectl [-n <non-default-namespace>] auth can-i <verb> [<type>|<type>/<name>|<non-resource-url> | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 18: | Line 18: | ||
<syntaxhighlight lang='bash'> | <syntaxhighlight lang='bash'> | ||
kubectl --as system:serviceaccount:blue:blue-sa auth can-i get pod my-pod | kubectl -n blue --as system:serviceaccount:blue:blue-sa auth can-i get pod my-pod | ||
</syntaxhighlight> | </syntaxhighlight> | ||
=Usage Examples= | =Usage Examples= | ||
Namespaces: | |||
<syntaxhighlight lang='yaml'> | |||
kubectl --as system:serviceaccount:test-ns:default auth can-i get ns | |||
</syntaxhighlight> | |||
Namespace: | |||
<syntaxhighlight lang='yaml'> | |||
kubectl --as system:serviceaccount:test-ns:default auth can-i get ns/some-namespace | |||
</syntaxhighlight> | |||
Also see: {{Internal|Kubernetes_Security_Operations#Authorization_Check|Authorization checks}} | |||
Latest revision as of 21:31, 3 November 2020
Internal
Overview
kubectl auth inspects authorization.
It can check whether an action is allowed with:
kubectl [-n <non-default-namespace>] auth can-i <verb> [<type>|<type>/<name>|<non-resource-url>
The verb is a logical Kubernetes API verb: "get", "list", "watch", "delete", etc. Type is a kubernetes resource. The name is the name of a particular resource.
It could also reconcile rules for RBAC Role, RoleBinding, ClusterRole, and ClusterRole binding objects.
The identity used to perform the call can be changed via the --as kubectl option:
kubectl -n blue --as system:serviceaccount:blue:blue-sa auth can-i get pod my-pod
Usage Examples
Namespaces:
kubectl --as system:serviceaccount:test-ns:default auth can-i get ns
Namespace:
kubectl --as system:serviceaccount:test-ns:default auth can-i get ns/some-namespace
Also see: