1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7
9 kubectl auth can-i - Check whether an action is allowed
10
11
12
14 kubectl auth can-i [OPTIONS]
15
16
17
19 Check whether an action is allowed.
20
21
22 VERB is a logical Kubernetes API verb like 'get', 'list', 'watch',
23 'delete', etc. TYPE is a Kubernetes resource. Shortcuts and groups will
24 be resolved. NONRESOURCEURL is a partial URL starts with "/". NAME is
25 the name of a particular Kubernetes resource.
26
27
28
30 -A, --all-namespaces=false If true, check the specified action in
31 all namespaces.
32
33
34 --list=false If true, prints all allowed actions.
35
36
37 --no-headers=false If true, prints allowed actions without headers
38
39
40 -q, --quiet=false If true, suppress output and just return the
41 exit code.
42
43
44 --subresource="" SubResource such as pod/log or deployment/scale
45
46
47
49 --add-dir-header=false If true, adds the file directory to the
50 header of the log messages
51
52
53 --alsologtostderr=false log to standard error as well as files
54
55
56 --application-metrics-count-limit=100 Max number of application
57 metrics to store (per container)
58
59
60 --as="" Username to impersonate for the operation
61
62
63 --as-group=[] Group to impersonate for the operation, this flag
64 can be repeated to specify multiple groups.
65
66
67 --azure-container-registry-config="" Path to the file containing
68 Azure container registry configuration information.
69
70
71 --boot-id-file="/proc/sys/kernel/random/boot_id" Comma-separated
72 list of files to check for boot-id. Use the first one that exists.
73
74
75 --cache-dir="/builddir/.kube/cache" Default cache directory
76
77
78 --certificate-authority="" Path to a cert file for the certificate
79 authority
80
81
82 --client-certificate="" Path to a client certificate file for TLS
83
84
85 --client-key="" Path to a client key file for TLS
86
87
88 --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
89 CIDRs opened in GCE firewall for L7 LB traffic proxy health
90 checks
91
92
93 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
94 CIDRs opened in GCE firewall for L4 LB traffic proxy health
95 checks
96
97
98 --cluster="" The name of the kubeconfig cluster to use
99
100
101 --container-hints="/etc/cadvisor/container_hints.json" location of
102 the container hints file
103
104
105 --containerd="/run/containerd/containerd.sock" containerd endpoint
106
107
108 --containerd-namespace="k8s.io" containerd namespace
109
110
111 --context="" The name of the kubeconfig context to use
112
113
114 --default-not-ready-toleration-seconds=300 Indicates the tolera‐
115 tionSeconds of the toleration for notReady:NoExecute that is added by
116 default to every pod that does not already have such a toleration.
117
118
119 --default-unreachable-toleration-seconds=300 Indicates the tolera‐
120 tionSeconds of the toleration for unreachable:NoExecute that is added
121 by default to every pod that does not already have such a toleration.
122
123
124 --disable-root-cgroup-stats=false Disable collecting root Cgroup
125 stats
126
127
128 --docker="unix:///var/run/docker.sock" docker endpoint
129
130
131 --docker-env-metadata-whitelist="" a comma-separated list of envi‐
132 ronment variable keys matched with specified prefix that needs to be
133 collected for docker containers
134
135
136 --docker-only=false Only report docker containers in addition to
137 root stats
138
139
140 --docker-root="/var/lib/docker" DEPRECATED: docker root is read
141 from docker info (this is a fallback, default: /var/lib/docker)
142
143
144 --docker-tls=false use TLS to connect to docker
145
146
147 --docker-tls-ca="ca.pem" path to trusted CA
148
149
150 --docker-tls-cert="cert.pem" path to client certificate
151
152
153 --docker-tls-key="key.pem" path to private key
154
155
156 --enable-load-reader=false Whether to enable cpu load reader
157
158
159 --event-storage-age-limit="default=0" Max length of time for which
160 to store events (per type). Value is a comma separated list of key val‐
161 ues, where the keys are event types (e.g.: creation, oom) or "default"
162 and the value is a duration. Default is applied to all non-specified
163 event types
164
165
166 --event-storage-event-limit="default=0" Max number of events to
167 store (per type). Value is a comma separated list of key values, where
168 the keys are event types (e.g.: creation, oom) or "default" and the
169 value is an integer. Default is applied to all non-specified event
170 types
171
172
173 --global-housekeeping-interval=1m0s Interval between global house‐
174 keepings
175
176
177 --housekeeping-interval=10s Interval between container housekeep‐
178 ings
179
180
181 --insecure-skip-tls-verify=false If true, the server's certificate
182 will not be checked for validity. This will make your HTTPS connections
183 insecure
184
185
186 --kubeconfig="" Path to the kubeconfig file to use for CLI re‐
187 quests.
188
189
190 --log-backtrace-at=:0 when logging hits line file:N, emit a stack
191 trace
192
193
194 --log-cadvisor-usage=false Whether to log the usage of the cAdvi‐
195 sor container
196
197
198 --log-dir="" If non-empty, write log files in this directory
199
200
201 --log-file="" If non-empty, use this log file
202
203
204 --log-file-max-size=1800 Defines the maximum size a log file can
205 grow to. Unit is megabytes. If the value is 0, the maximum file size is
206 unlimited.
207
208
209 --log-flush-frequency=5s Maximum number of seconds between log
210 flushes
211
212
213 --logtostderr=true log to standard error instead of files
214
215
216 --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
217 Comma-separated list of files to check for machine-id. Use the
218 first one that exists.
219
220
221 --match-server-version=false Require server version to match
222 client version
223
224
225 -n, --namespace="" If present, the namespace scope for this CLI
226 request
227
228
229 --one-output=false If true, only write logs to their native sever‐
230 ity level (vs also writing to each lower severity level
231
232
233 --password="" Password for basic authentication to the API server
234
235
236 --profile="none" Name of profile to capture. One of
237 (none|cpu|heap|goroutine|threadcreate|block|mutex)
238
239
240 --profile-output="profile.pprof" Name of the file to write the
241 profile to
242
243
244 --referenced-reset-interval=0 Reset interval for referenced bytes
245 (container_referenced_bytes metric), number of measurement cycles after
246 which referenced bytes are cleared, if set to 0 referenced bytes are
247 never cleared (default: 0)
248
249
250 --request-timeout="0" The length of time to wait before giving up
251 on a single server request. Non-zero values should contain a corre‐
252 sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
253 out requests.
254
255
256 -s, --server="" The address and port of the Kubernetes API server
257
258
259 --skip-headers=false If true, avoid header prefixes in the log
260 messages
261
262
263 --skip-log-headers=false If true, avoid headers when opening log
264 files
265
266
267 --stderrthreshold=2 logs at or above this threshold go to stderr
268
269
270 --storage-driver-buffer-duration=1m0s Writes in the storage driver
271 will be buffered for this duration, and committed to the non memory
272 backends as a single transaction
273
274
275 --storage-driver-db="cadvisor" database name
276
277
278 --storage-driver-host="localhost:8086" database host:port
279
280
281 --storage-driver-password="root" database password
282
283
284 --storage-driver-secure=false use secure connection with database
285
286
287 --storage-driver-table="stats" table name
288
289
290 --storage-driver-user="root" database username
291
292
293 --tls-server-name="" Server name to use for server certificate
294 validation. If it is not provided, the hostname used to contact the
295 server is used
296
297
298 --token="" Bearer token for authentication to the API server
299
300
301 --update-machine-info-interval=5m0s Interval between machine info
302 updates.
303
304
305 --user="" The name of the kubeconfig user to use
306
307
308 --username="" Username for basic authentication to the API server
309
310
311 -v, --v=0 number for the log level verbosity
312
313
314 --version=false Print version information and quit
315
316
317 --vmodule= comma-separated list of pattern=N settings for
318 file-filtered logging
319
320
321 --warnings-as-errors=false Treat warnings received from the server
322 as errors and exit with a non-zero exit code
323
324
325
327 # Check to see if I can create pods in any namespace
328 kubectl auth can-i create pods --all-namespaces
329
330 # Check to see if I can list deployments in my current namespace
331 kubectl auth can-i list deployments.apps
332
333 # Check to see if I can do everything in my current namespace ("*" means all)
334 kubectl auth can-i '*' '*'
335
336 # Check to see if I can get the job named "bar" in namespace "foo"
337 kubectl auth can-i list jobs.batch/bar -n foo
338
339 # Check to see if I can read pod logs
340 kubectl auth can-i get pods --subresource=log
341
342 # Check to see if I can access the URL /logs/
343 kubectl auth can-i get /logs/
344
345 # List all allowed actions in namespace "foo"
346 kubectl auth can-i --list --namespace=foo
347
348
349
350
352 kubectl-auth(1),
353
354
355
357 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
358 com) based on the kubernetes source material, but hopefully they have
359 been automatically generated since!
360
361
362
363Manuals User KUBERNETES(1)(kubernetes)