1KUBERNETES(1) Jan 2015 KUBERNETES(1)
2
6 kubectl auth can-i - Check whether an action is allowed
7
11 kubectl auth can-i [OPTIONS]
12
16 Check whether an action is allowed.
17 VERB is a logical Kubernetes API verb like 'get', 'list', 'watch',
20 'delete', etc. TYPE is a Kubernetes resource. Shortcuts and groups will
21 be resolved. NONRESOURCEURL is a partial URL starts with "/". NAME is
22 the name of a particular Kubernetes resource.
23
27 -A, --all-namespaces=false
28 If true, check the specified action in all namespaces.
29 --list=false
32 If true, prints all allowed actions.
33 --no-headers=false
36 If true, prints allowed actions without headers
37 -q, --quiet=false
40 If true, suppress output and just return the exit code.
41 --subresource=""
44 SubResource such as pod/log or deployment/scale
45
49 --alsologtostderr=false
50 log to standard error as well as files
51 --application-metrics-count-limit=100
54 Max number of application metrics to store (per container)
55 --as=""
58 Username to impersonate for the operation
59 --as-group=[]
62 Group to impersonate for the operation, this flag can be repeated
63 to specify multiple groups.
64 --azure-container-registry-config=""
67 Path to the file containing Azure container registry configuration
68 information.
69 --boot-id-file="/proc/sys/kernel/random/boot_id"
72 Comma-separated list of files to check for boot-id. Use the first
73 one that exists.
74 --cache-dir="/builddir/.kube/http-cache"
77 Default HTTP cache directory
78 --certificate-authority=""
81 Path to a cert file for the certificate authority
82 --client-certificate=""
85 Path to a client certificate file for TLS
86 --client-key=""
89 Path to a client key file for TLS
90 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
93 CIDRs opened in GCE firewall for LB traffic proxy health checks
94 --cluster=""
97 The name of the kubeconfig cluster to use
98 --container-hints="/etc/cadvisor/container_hints.json"
101 location of the container hints file
102 --containerd="/run/containerd/containerd.sock"
105 containerd endpoint
106 --containerd-namespace="k8s.io"
109 containerd namespace
110 --context=""
113 The name of the kubeconfig context to use
114 --default-not-ready-toleration-seconds=300
117 Indicates the tolerationSeconds of the toleration for
118 notReady:NoExecute that is added by default to every pod that does not
119 already have such a toleration.
120 --default-unreachable-toleration-seconds=300
123 Indicates the tolerationSeconds of the toleration for unreach‐
124 able:NoExecute that is added by default to every pod that does not
125 already have such a toleration.
126 --docker="unix:///var/run/docker.sock"
129 docker endpoint
130 --docker-env-metadata-whitelist=""
133 a comma-separated list of environment variable keys that needs to
134 be collected for docker containers
135 --docker-only=false
138 Only report docker containers in addition to root stats
139 --docker-root="/var/lib/docker"
142 DEPRECATED: docker root is read from docker info (this is a fall‐
143 back, default: /var/lib/docker)
144 --docker-tls=false
147 use TLS to connect to docker
148 --docker-tls-ca="ca.pem"
151 path to trusted CA
152 --docker-tls-cert="cert.pem"
155 path to client certificate
156 --docker-tls-key="key.pem"
159 path to private key
160 --enable-load-reader=false
163 Whether to enable cpu load reader
164 --event-storage-age-limit="default=0"
167 Max length of time for which to store events (per type). Value is a
168 comma separated list of key values, where the keys are event types
169 (e.g.: creation, oom) or "default" and the value is a duration. Default
170 is applied to all non-specified event types
171 --event-storage-event-limit="default=0"
174 Max number of events to store (per type). Value is a comma sepa‐
175 rated list of key values, where the keys are event types (e.g.: cre‐
176 ation, oom) or "default" and the value is an integer. Default is
177 applied to all non-specified event types
178 --global-housekeeping-interval=1m0s
181 Interval between global housekeepings
182 --housekeeping-interval=10s
185 Interval between container housekeepings
186 --insecure-skip-tls-verify=false
189 If true, the server's certificate will not be checked for validity.
190 This will make your HTTPS connections insecure
191 --kubeconfig=""
194 Path to the kubeconfig file to use for CLI requests.
195 --log-backtrace-at=:0
198 when logging hits line file:N, emit a stack trace
199 --log-cadvisor-usage=false
202 Whether to log the usage of the cAdvisor container
203 --log-dir=""
206 If non-empty, write log files in this directory
207 --log-file=""
210 If non-empty, use this log file
211 --log-file-max-size=1800
214 Defines the maximum size a log file can grow to. Unit is megabytes.
215 If the value is 0, the maximum file size is unlimited.
216 --log-flush-frequency=5s
219 Maximum number of seconds between log flushes
220 --logtostderr=true
223 log to standard error instead of files
224 --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
227 Comma-separated list of files to check for machine-id. Use the
228 first one that exists.
229 --match-server-version=false
232 Require server version to match client version
233 -n, --namespace=""
236 If present, the namespace scope for this CLI request
237 --password=""
240 Password for basic authentication to the API server
241 --profile="none"
244 Name of profile to capture. One of (none|cpu|heap|goroutine|thread‐
245 create|block|mutex)
246 --profile-output="profile.pprof"
249 Name of the file to write the profile to
250 --request-timeout="0"
253 The length of time to wait before giving up on a single server
254 request. Non-zero values should contain a corresponding time unit (e.g.
255 1s, 2m, 3h). A value of zero means don't timeout requests.
256 -s, --server=""
259 The address and port of the Kubernetes API server
260 --skip-headers=false
263 If true, avoid header prefixes in the log messages
264 --skip-log-headers=false
267 If true, avoid headers when opening log files
268 --stderrthreshold=2
271 logs at or above this threshold go to stderr
272 --storage-driver-buffer-duration=1m0s
275 Writes in the storage driver will be buffered for this duration,
276 and committed to the non memory backends as a single transaction
277 --storage-driver-db="cadvisor"
280 database name
281 --storage-driver-host="localhost:8086"
284 database host:port
285 --storage-driver-password="root"
288 database password
289 --storage-driver-secure=false
292 use secure connection with database
293 --storage-driver-table="stats"
296 table name
297 --storage-driver-user="root"
300 database username
301 --token=""
304 Bearer token for authentication to the API server
305 --update-machine-info-interval=5m0s
308 Interval between machine info updates.
309 --user=""
312 The name of the kubeconfig user to use
313 --username=""
316 Username for basic authentication to the API server
317 -v, --v=0
320 number for the log level verbosity
321 --version=false
324 Print version information and quit
325 --vmodule=
328 comma-separated list of pattern=N settings for file-filtered log‐
329 ging
330
334 # Check to see if I can create pods in any namespace
335 kubectl auth can-i create pods --all-namespaces
336 # Check to see if I can list deployments in my current namespace
338 kubectl auth can-i list deployments.extensions
339 # Check to see if I can do everything in my current namespace ("*" means all)
341 kubectl auth can-i '*' '*'
342 # Check to see if I can get the job named "bar" in namespace "foo"
344 kubectl auth can-i list jobs.batch/bar -n foo
345 # Check to see if I can read pod logs
347 kubectl auth can-i get pods --subresource=log
348 # Check to see if I can access the URL /logs/
350 kubectl auth can-i get /logs/
351 # List all allowed actions in namespace "foo"
353 kubectl auth can-i --list --namespace=foo
354
359 kubectl-auth(1),
360
364 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
365 com) based on the kubernetes source material, but hopefully they have
366 been automatically generated since!
367Eric Paris kubernetes User Manuals KUBERNETES(1)