1KUBERNETES(1)(kubernetes)                            KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7

NAME

9       kubectl auth can-i - Check whether an action is allowed
10
11
12

SYNOPSIS

14       kubectl auth can-i [OPTIONS]
15
16
17

DESCRIPTION

19       Check whether an action is allowed.
20
21
22       VERB  is  a  logical  Kubernetes  API verb like 'get', 'list', 'watch',
23       'delete', etc. TYPE is a Kubernetes resource. Shortcuts and groups will
24       be resolved. NONRESOURCEURL is a partial URL that starts with "/". NAME
25       is the name of a particular Kubernetes  resource.  This  command  pairs
26       nicely with impersonation. See --as global flag.
27
28
29

OPTIONS

31       -A,  --all-namespaces=false      If true, check the specified action in
32       all namespaces.
33
34
35       --list=false      If true, prints all allowed actions.
36
37
38       --no-headers=false      If true, prints allowed actions without headers
39
40
41       -q, --quiet=false      If true, suppress output  and  just  return  the
42       exit code.
43
44
45       --subresource=""      SubResource such as pod/log or deployment/scale
46
47
48

OPTIONS INHERITED FROM PARENT COMMANDS

50       --as=""      Username to impersonate for the operation. User could be a
51       regular user or a service account in a namespace.
52
53
54       --as-group=[]      Group to impersonate for the  operation,  this  flag
55       can be repeated to specify multiple groups.
56
57
58       --as-uid=""      UID to impersonate for the operation.
59
60
61       --azure-container-registry-config=""       Path  to the file containing
62       Azure container registry configuration information.
63
64
65       --cache-dir="/builddir/.kube/cache"      Default cache directory
66
67
68       --certificate-authority=""      Path to a cert file for the certificate
69       authority
70
71
72       --client-certificate=""      Path to a client certificate file for TLS
73
74
75       --client-key=""      Path to a client key file for TLS
76
77
78       --cluster=""      The name of the kubeconfig cluster to use
79
80
81       --context=""      The name of the kubeconfig context to use
82
83
84       --insecure-skip-tls-verify=false      If true, the server's certificate
85       will not be checked for validity. This will make your HTTPS connections
86       insecure
87
88
89       --kubeconfig=""       Path  to  the  kubeconfig file to use for CLI re‐
90       quests.
91
92
93       --match-server-version=false       Require  server  version  to   match
94       client version
95
96
97       -n,  --namespace=""       If  present, the namespace scope for this CLI
98       request
99
100
101       --password=""      Password for basic authentication to the API server
102
103
104       --profile="none"        Name   of   profile   to   capture.   One    of
105       (none|cpu|heap|goroutine|threadcreate|block|mutex)
106
107
108       --profile-output="profile.pprof"       Name  of  the  file to write the
109       profile to
110
111
112       --request-timeout="0"      The length of time to wait before giving  up
113       on  a  single  server  request. Non-zero values should contain a corre‐
114       sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
115       out requests.
116
117
118       -s, --server=""      The address and port of the Kubernetes API server
119
120
121       --tls-server-name=""       Server  name  to  use for server certificate
122       validation. If it is not provided, the hostname  used  to  contact  the
123       server is used
124
125
126       --token=""      Bearer token for authentication to the API server
127
128
129       --user=""      The name of the kubeconfig user to use
130
131
132       --username=""      Username for basic authentication to the API server
133
134
135       --version=false      Print version information and quit
136
137
138       --warnings-as-errors=false      Treat warnings received from the server
139       as errors and exit with a non-zero exit code
140
141
142

EXAMPLE

144                # Check to see if I can create pods in any namespace
145                kubectl auth can-i create pods --all-namespaces
146
147                # Check to see if I can list deployments in my current namespace
148                kubectl auth can-i list deployments.apps
149
150                # Check to see if I can do everything in my current namespace ("*" means all)
151                kubectl auth can-i '*' '*'
152
153                # Check to see if I can get the job named "bar" in namespace "foo"
154                kubectl auth can-i list jobs.batch/bar -n foo
155
156                # Check to see if I can read pod logs
157                kubectl auth can-i get pods --subresource=log
158
159                # Check to see if I can access the URL /logs/
160                kubectl auth can-i get /logs/
161
162                # List all allowed actions in namespace "foo"
163                kubectl auth can-i --list --namespace=foo
164
165
166
167

SEE ALSO

169       kubectl-auth(1),
170
171
172

HISTORY

174       January 2015, Originally compiled by Eric Paris (eparis at  redhat  dot
175       com)  based  on the kubernetes source material, but hopefully they have
176       been automatically generated since!
177
178
179
180Manuals                              User            KUBERNETES(1)(kubernetes)
Impressum