1KUBERNETES(1)(kubernetes)                            KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7

NAME

9       kubectl auth can-i - Check whether an action is allowed
10
11
12

SYNOPSIS

14       kubectl auth can-i [OPTIONS]
15
16
17

DESCRIPTION

19       Check whether an action is allowed.
20
21
22       VERB  is  a  logical  Kubernetes  API verb like 'get', 'list', 'watch',
23       'delete', etc. TYPE is a Kubernetes resource. Shortcuts and groups will
24       be  resolved.  NONRESOURCEURL is a partial URL starts with "/". NAME is
25       the name of a particular Kubernetes resource.
26
27
28

OPTIONS

30       -A, --all-namespaces=false      If true, check the specified action  in
31       all namespaces.
32
33
34       --list=false      If true, prints all allowed actions.
35
36
37       --no-headers=false      If true, prints allowed actions without headers
38
39
40       -q,  --quiet=false       If  true,  suppress output and just return the
41       exit code.
42
43
44       --subresource=""      SubResource such as pod/log or deployment/scale
45
46
47

OPTIONS INHERITED FROM PARENT COMMANDS

49       --add-dir-header=false      If true, adds the  file  directory  to  the
50       header of the log messages
51
52
53       --alsologtostderr=false      log to standard error as well as files
54
55
56       --application-metrics-count-limit=100       Max  number  of application
57       metrics to store (per container)
58
59
60       --as=""      Username to impersonate for the operation
61
62
63       --as-group=[]      Group to impersonate for the  operation,  this  flag
64       can be repeated to specify multiple groups.
65
66
67       --azure-container-registry-config=""       Path  to the file containing
68       Azure container registry configuration information.
69
70
71       --boot-id-file="/proc/sys/kernel/random/boot_id"        Comma-separated
72       list of files to check for boot-id. Use the first one that exists.
73
74
75       --cache-dir="/builddir/.kube/cache"      Default cache directory
76
77
78       --certificate-authority=""      Path to a cert file for the certificate
79       authority
80
81
82       --client-certificate=""      Path to a client certificate file for TLS
83
84
85       --client-key=""      Path to a client key file for TLS
86
87
88       --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
89            CIDRs  opened  in  GCE  firewall  for  L7 LB traffic proxy  health
90       checks
91
92
93       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
94            CIDRs  opened  in  GCE  firewall  for  L4 LB traffic proxy  health
95       checks
96
97
98       --cluster=""      The name of the kubeconfig cluster to use
99
100
101       --container-hints="/etc/cadvisor/container_hints.json"      location of
102       the container hints file
103
104
105       --containerd="/run/containerd/containerd.sock"      containerd endpoint
106
107
108       --containerd-namespace="k8s.io"      containerd namespace
109
110
111       --context=""      The name of the kubeconfig context to use
112
113
114       --default-not-ready-toleration-seconds=300       Indicates  the tolera‐
115       tionSeconds of the toleration for notReady:NoExecute that is  added  by
116       default to every pod that does not already have such a toleration.
117
118
119       --default-unreachable-toleration-seconds=300      Indicates the tolera‐
120       tionSeconds of the toleration for unreachable:NoExecute that  is  added
121       by default to every pod that does not already have such a toleration.
122
123
124       --disable-root-cgroup-stats=false       Disable  collecting root Cgroup
125       stats
126
127
128       --docker="unix:///var/run/docker.sock"      docker endpoint
129
130
131       --docker-env-metadata-whitelist=""      a comma-separated list of envi‐
132       ronment  variable  keys  matched with specified prefix that needs to be
133       collected for docker containers
134
135
136       --docker-only=false      Only report docker containers in  addition  to
137       root stats
138
139
140       --docker-root="/var/lib/docker"       DEPRECATED:  docker  root is read
141       from docker info (this is a fallback, default: /var/lib/docker)
142
143
144       --docker-tls=false      use TLS to connect to docker
145
146
147       --docker-tls-ca="ca.pem"      path to trusted CA
148
149
150       --docker-tls-cert="cert.pem"      path to client certificate
151
152
153       --docker-tls-key="key.pem"      path to private key
154
155
156       --enable-load-reader=false      Whether to enable cpu load reader
157
158
159       --event-storage-age-limit="default=0"      Max length of time for which
160       to store events (per type). Value is a comma separated list of key val‐
161       ues, where the keys are event types (e.g.: creation, oom) or  "default"
162       and  the  value  is a duration. Default is applied to all non-specified
163       event types
164
165
166       --event-storage-event-limit="default=0"      Max number  of  events  to
167       store  (per type). Value is a comma separated list of key values, where
168       the keys are event types (e.g.: creation, oom)  or  "default"  and  the
169       value  is  an  integer.  Default  is applied to all non-specified event
170       types
171
172
173       --global-housekeeping-interval=1m0s      Interval between global house‐
174       keepings
175
176
177       --housekeeping-interval=10s       Interval between container housekeep‐
178       ings
179
180
181       --insecure-skip-tls-verify=false      If true, the server's certificate
182       will not be checked for validity. This will make your HTTPS connections
183       insecure
184
185
186       --kubeconfig=""      Path to the kubeconfig file to  use  for  CLI  re‐
187       quests.
188
189
190       --log-backtrace-at=:0       when logging hits line file:N, emit a stack
191       trace
192
193
194       --log-cadvisor-usage=false      Whether to log the usage of the  cAdvi‐
195       sor container
196
197
198       --log-dir=""      If non-empty, write log files in this directory
199
200
201       --log-file=""      If non-empty, use this log file
202
203
204       --log-file-max-size=1800       Defines  the maximum size a log file can
205       grow to. Unit is megabytes. If the value is 0, the maximum file size is
206       unlimited.
207
208
209       --log-flush-frequency=5s       Maximum  number  of  seconds between log
210       flushes
211
212
213       --logtostderr=true      log to standard error instead of files
214
215
216       --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
217            Comma-separated  list  of  files  to check for machine-id. Use the
218       first one that exists.
219
220
221       --match-server-version=false       Require  server  version  to   match
222       client version
223
224
225       -n,  --namespace=""       If  present, the namespace scope for this CLI
226       request
227
228
229       --one-output=false      If true, only write logs to their native sever‐
230       ity level (vs also writing to each lower severity level)
231
232
233       --password=""      Password for basic authentication to the API server
234
235
236       --profile="none"         Name   of   profile   to   capture.   One   of
237       (none|cpu|heap|goroutine|threadcreate|block|mutex)
238
239
240       --profile-output="profile.pprof"      Name of the  file  to  write  the
241       profile to
242
243
244       --referenced-reset-interval=0       Reset interval for referenced bytes
245       (container_referenced_bytes metric), number of measurement cycles after
246       which  referenced  bytes  are cleared, if set to 0 referenced bytes are
247       never cleared (default: 0)
248
249
250       --request-timeout="0"      The length of time to wait before giving  up
251       on  a  single  server  request. Non-zero values should contain a corre‐
252       sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
253       out requests.
254
255
256       -s, --server=""      The address and port of the Kubernetes API server
257
258
259       --skip-headers=false       If  true,  avoid  header prefixes in the log
260       messages
261
262
263       --skip-log-headers=false      If true, avoid headers when  opening  log
264       files
265
266
267       --stderrthreshold=2      logs at or above this threshold go to stderr
268
269
270       --storage-driver-buffer-duration=1m0s      Writes in the storage driver
271       will be buffered for this duration, and committed  to  the  non  memory
272       backends as a single transaction
273
274
275       --storage-driver-db="cadvisor"      database name
276
277
278       --storage-driver-host="localhost:8086"      database host:port
279
280
281       --storage-driver-password="root"      database password
282
283
284       --storage-driver-secure=false      use secure connection with database
285
286
287       --storage-driver-table="stats"      table name
288
289
290       --storage-driver-user="root"      database username
291
292
293       --tls-server-name=""       Server  name  to  use for server certificate
294       validation. If it is not provided, the hostname  used  to  contact  the
295       server is used
296
297
298       --token=""      Bearer token for authentication to the API server
299
300
301       --update-machine-info-interval=5m0s       Interval between machine info
302       updates.
303
304
305       --user=""      The name of the kubeconfig user to use
306
307
308       --username=""      Username for basic authentication to the API server
309
310
311       -v, --v=0      number for the log level verbosity
312
313
314       --version=false      Print version information and quit
315
316
317       --vmodule=       comma-separated  list  of   pattern=N   settings   for
318       file-filtered logging
319
320
321       --warnings-as-errors=false      Treat warnings received from the server
322       as errors and exit with a non-zero exit code
323
324
325

EXAMPLE

327                # Check to see if I can create pods in any namespace
328                kubectl auth can-i create pods --all-namespaces
329
330                # Check to see if I can list deployments in my current namespace
331                kubectl auth can-i list deployments.apps
332
333                # Check to see if I can do everything in my current namespace ("*" means all)
334                kubectl auth can-i '*' '*'
335
336                # Check to see if I can get the job named "bar" in namespace "foo"
337                kubectl auth can-i list jobs.batch/bar -n foo
338
339                # Check to see if I can read pod logs
340                kubectl auth can-i get pods --subresource=log
341
342                # Check to see if I can access the URL /logs/
343                kubectl auth can-i get /logs/
344
345                # List all allowed actions in namespace "foo"
346                kubectl auth can-i --list --namespace=foo
347
348
349
350

SEE ALSO

352       kubectl-auth(1),
353
354
355

HISTORY

357       January 2015, Originally compiled by Eric Paris (eparis at  redhat  dot
358       com)  based  on the kubernetes source material, but hopefully they have
359       been automatically generated since!
360
361
362
363Manuals                              User            KUBERNETES(1)(kubernetes)
Impressum