1KUBERNETES(1) Jan 2015 KUBERNETES(1)
2
6 kubectl auth can-i - Check whether an action is allowed
7
11 kubectl auth can-i [OPTIONS]
12
16 Check whether an action is allowed.
17 VERB is a logical Kubernetes API verb like 'get', 'list', 'watch',
20 'delete', etc. TYPE is a Kubernetes resource. Shortcuts and groups will
21 be resolved. NONRESOURCEURL is a partial URL starts with "/". NAME is
22 the name of a particular Kubernetes resource.
23
27 -A, --all-namespaces=false
28 If true, check the specified action in all namespaces.
29 --list=false
32 If true, prints all allowed actions.
33 --no-headers=false
36 If true, prints allowed actions without headers
37 -q, --quiet=false
40 If true, suppress output and just return the exit code.
41 --subresource=""
44 SubResource such as pod/log or deployment/scale
45
49 --add-dir-header=false
50 If true, adds the file directory to the header
51 --alsologtostderr=false
54 log to standard error as well as files
55 --application-metrics-count-limit=100
58 Max number of application metrics to store (per container)
59 --as=""
62 Username to impersonate for the operation
63 --as-group=[]
66 Group to impersonate for the operation, this flag can be repeated
67 to specify multiple groups.
68 --azure-container-registry-config=""
71 Path to the file containing Azure container registry configuration
72 information.
73 --boot-id-file="/proc/sys/kernel/random/boot_id"
76 Comma-separated list of files to check for boot-id. Use the first
77 one that exists.
78 --cache-dir="/builddir/.kube/http-cache"
81 Default HTTP cache directory
82 --certificate-authority=""
85 Path to a cert file for the certificate authority
86 --client-certificate=""
89 Path to a client certificate file for TLS
90 --client-key=""
93 Path to a client key file for TLS
94 --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
97 CIDRs opened in GCE firewall for L7 LB traffic proxy health checks
98 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
101 CIDRs opened in GCE firewall for L4 LB traffic proxy health checks
102 --cluster=""
105 The name of the kubeconfig cluster to use
106 --container-hints="/etc/cadvisor/container_hints.json"
109 location of the container hints file
110 --containerd="/run/containerd/containerd.sock"
113 containerd endpoint
114 --containerd-namespace="k8s.io"
117 containerd namespace
118 --context=""
121 The name of the kubeconfig context to use
122 --default-not-ready-toleration-seconds=300
125 Indicates the tolerationSeconds of the toleration for
126 notReady:NoExecute that is added by default to every pod that does not
127 already have such a toleration.
128 --default-unreachable-toleration-seconds=300
131 Indicates the tolerationSeconds of the toleration for
132 unreachable:NoExecute that is added by default to every pod that does
133 not already have such a toleration.
134 --disable-root-cgroup-stats=false
137 Disable collecting root Cgroup stats
138 --docker="unix:///var/run/docker.sock"
141 docker endpoint
142 --docker-env-metadata-whitelist=""
145 a comma-separated list of environment variable keys that needs to
146 be collected for docker containers
147 --docker-only=false
150 Only report docker containers in addition to root stats
151 --docker-root="/var/lib/docker"
154 DEPRECATED: docker root is read from docker info (this is a
155 fallback, default: /var/lib/docker)
156 --docker-tls=false
159 use TLS to connect to docker
160 --docker-tls-ca="ca.pem"
163 path to trusted CA
164 --docker-tls-cert="cert.pem"
167 path to client certificate
168 --docker-tls-key="key.pem"
171 path to private key
172 --enable-load-reader=false
175 Whether to enable cpu load reader
176 --event-storage-age-limit="default=0"
179 Max length of time for which to store events (per type). Value is a
180 comma separated list of key values, where the keys are event types
181 (e.g.: creation, oom) or "default" and the value is a duration. Default
182 is applied to all non-specified event types
183 --event-storage-event-limit="default=0"
186 Max number of events to store (per type). Value is a comma
187 separated list of key values, where the keys are event types (e.g.:
188 creation, oom) or "default" and the value is an integer. Default is
189 applied to all non-specified event types
190 --global-housekeeping-interval=1m0s
193 Interval between global housekeepings
194 --housekeeping-interval=10s
197 Interval between container housekeepings
198 --insecure-skip-tls-verify=false
201 If true, the server's certificate will not be checked for validity.
202 This will make your HTTPS connections insecure
203 --kubeconfig=""
206 Path to the kubeconfig file to use for CLI requests.
207 --log-backtrace-at=:0
210 when logging hits line file:N, emit a stack trace
211 --log-cadvisor-usage=false
214 Whether to log the usage of the cAdvisor container
215 --log-dir=""
218 If non-empty, write log files in this directory
219 --log-file=""
222 If non-empty, use this log file
223 --log-file-max-size=1800
226 Defines the maximum size a log file can grow to. Unit is megabytes.
227 If the value is 0, the maximum file size is unlimited.
228 --log-flush-frequency=5s
231 Maximum number of seconds between log flushes
232 --logtostderr=true
235 log to standard error instead of files
236 --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
239 Comma-separated list of files to check for machine-id. Use the
240 first one that exists.
241 --match-server-version=false
244 Require server version to match client version
245 -n, --namespace=""
248 If present, the namespace scope for this CLI request
249 --password=""
252 Password for basic authentication to the API server
253 --profile="none"
256 Name of profile to capture. One of
257 (none|cpu|heap|goroutine|threadcreate|block|mutex)
258 --profile-output="profile.pprof"
261 Name of the file to write the profile to
262 --request-timeout="0"
265 The length of time to wait before giving up on a single server
266 request. Non-zero values should contain a corresponding time unit (e.g.
267 1s, 2m, 3h). A value of zero means don't timeout requests.
268 -s, --server=""
271 The address and port of the Kubernetes API server
272 --skip-headers=false
275 If true, avoid header prefixes in the log messages
276 --skip-log-headers=false
279 If true, avoid headers when opening log files
280 --stderrthreshold=2
283 logs at or above this threshold go to stderr
284 --storage-driver-buffer-duration=1m0s
287 Writes in the storage driver will be buffered for this duration,
288 and committed to the non memory backends as a single transaction
289 --storage-driver-db="cadvisor"
292 database name
293 --storage-driver-host="localhost:8086"
296 database host:port
297 --storage-driver-password="root"
300 database password
301 --storage-driver-secure=false
304 use secure connection with database
305 --storage-driver-table="stats"
308 table name
309 --storage-driver-user="root"
312 database username
313 --tls-server-name=""
316 Server name to use for server certificate validation. If it is not
317 provided, the hostname used to contact the server is used
318 --token=""
321 Bearer token for authentication to the API server
322 --update-machine-info-interval=5m0s
325 Interval between machine info updates.
326 --user=""
329 The name of the kubeconfig user to use
330 --username=""
333 Username for basic authentication to the API server
334 -v, --v=0
337 number for the log level verbosity
338 --version=false
341 Print version information and quit
342 --vmodule=
345 comma-separated list of pattern=N settings for file-filtered
346 logging
347
351 # Check to see if I can create pods in any namespace
352 kubectl auth can-i create pods --all-namespaces
353 # Check to see if I can list deployments in my current namespace
355 kubectl auth can-i list deployments.apps
356 # Check to see if I can do everything in my current namespace ("*" means all)
358 kubectl auth can-i '*' '*'
359 # Check to see if I can get the job named "bar" in namespace "foo"
361 kubectl auth can-i list jobs.batch/bar -n foo
362 # Check to see if I can read pod logs
364 kubectl auth can-i get pods --subresource=log
365 # Check to see if I can access the URL /logs/
367 kubectl auth can-i get /logs/
368 # List all allowed actions in namespace "foo"
370 kubectl auth can-i --list --namespace=foo
371
376 kubectl-auth(1),
377
381 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
382 com) based on the kubernetes source material, but hopefully they have
383 been automatically generated since!
384Eric Paris kubernetes User Manuals KUBERNETES(1)