1OC AUTH(1)                         June 2016                        OC AUTH(1)
2
3
4

NAME

6       oc auth can-i - Check whether an action is allowed
7
8
9

SYNOPSIS

11       oc auth can-i [OPTIONS]
12
13
14

DESCRIPTION

16       Check whether an action is allowed.
17
18
19       VERB  is  a  logical  Kubernetes  API verb like 'get', 'list', 'watch',
20       'delete', etc. TYPE is a Kubernetes resource. Shortcuts and groups will
21       be  resolved.  NONRESOURCEURL is a partial URL starts with "/". NAME is
22       the name of a particular Kubernetes resource.
23
24
25

OPTIONS

27       --all-namespaces=false
28           If true, check the specified action in all namespaces.
29
30
31       -q, --quiet=false
32           If true, suppress output and just return the exit code.
33
34
35       --subresource=""
36           SubResource such as pod/log or deployment/scale
37
38
39

OPTIONS INHERITED FROM PARENT COMMANDS

41       --allow_verification_with_non_compliant_keys=false
42           Allow  a  SignatureVerifier  to  use  keys  which  are  technically
43       non-compliant with RFC6962.
44
45
46       --alsologtostderr=false
47           log to standard error as well as files
48
49
50       --application_metrics_count_limit=100
51           Max number of application metrics to store (per container)
52
53
54       --as=""
55           Username to impersonate for the operation
56
57
58       --as-group=[]
59           Group  to  impersonate for the operation, this flag can be repeated
60       to specify multiple groups.
61
62
63       --azure-container-registry-config=""
64           Path to the file containing Azure container registry  configuration
65       information.
66
67
68       --boot_id_file="/proc/sys/kernel/random/boot_id"
69           Comma-separated  list  of files to check for boot-id. Use the first
70       one that exists.
71
72
73       --cache-dir="/builddir/.kube/http-cache"
74           Default HTTP cache directory
75
76
77       --certificate-authority=""
78           Path to a cert file for the certificate authority
79
80
81       --client-certificate=""
82           Path to a client certificate file for TLS
83
84
85       --client-key=""
86           Path to a client key file for TLS
87
88
89       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
90           CIDRs opened in GCE firewall for LB traffic proxy  health checks
91
92
93       --cluster=""
94           The name of the kubeconfig cluster to use
95
96
97       --container_hints="/etc/cadvisor/container_hints.json"
98           location of the container hints file
99
100
101       --containerd="unix:///var/run/containerd.sock"
102           containerd endpoint
103
104
105       --context=""
106           The name of the kubeconfig context to use
107
108
109       --default-not-ready-toleration-seconds=300
110           Indicates    the    tolerationSeconds   of   the   toleration   for
111       notReady:NoExecute that is added by default to every pod that does  not
112       already have such a toleration.
113
114
115       --default-unreachable-toleration-seconds=300
116           Indicates  the  tolerationSeconds  of  the  toleration for unreach‐
117       able:NoExecute that is added by default to  every  pod  that  does  not
118       already have such a toleration.
119
120
121       --docker="unix:///var/run/docker.sock"
122           docker endpoint
123
124
125       --docker-tls=false
126           use TLS to connect to docker
127
128
129       --docker-tls-ca="ca.pem"
130           path to trusted CA
131
132
133       --docker-tls-cert="cert.pem"
134           path to client certificate
135
136
137       --docker-tls-key="key.pem"
138           path to private key
139
140
141       --docker_env_metadata_whitelist=""
142           a  comma-separated  list of environment variable keys that needs to
143       be collected for docker containers
144
145
146       --docker_only=false
147           Only report docker containers in addition to root stats
148
149
150       --docker_root="/var/lib/docker"
151           DEPRECATED: docker root is read from docker info (this is  a  fall‐
152       back, default: /var/lib/docker)
153
154
155       --enable_load_reader=false
156           Whether to enable cpu load reader
157
158
159       --event_storage_age_limit="default=24h"
160           Max length of time for which to store events (per type). Value is a
161       comma separated list of key values, where  the  keys  are  event  types
162       (e.g.: creation, oom) or "default" and the value is a duration. Default
163       is applied to all non-specified event types
164
165
166       --event_storage_event_limit="default=100000"
167           Max number of events to store (per type). Value is  a  comma  sepa‐
168       rated  list  of  key values, where the keys are event types (e.g.: cre‐
169       ation, oom) or "default" and  the  value  is  an  integer.  Default  is
170       applied to all non-specified event types
171
172
173       --global_housekeeping_interval=0
174           Interval between global housekeepings
175
176
177       --housekeeping_interval=0
178           Interval between container housekeepings
179
180
181       --insecure-skip-tls-verify=false
182           If true, the server's certificate will not be checked for validity.
183       This will make your HTTPS connections insecure
184
185
186       --kubeconfig=""
187           Path to the kubeconfig file to use for CLI requests.
188
189
190       --log-flush-frequency=0
191           Maximum number of seconds between log flushes
192
193
194       --log_backtrace_at=:0
195           when logging hits line file:N, emit a stack trace
196
197
198       --log_cadvisor_usage=false
199           Whether to log the usage of the cAdvisor container
200
201
202       --log_dir=""
203           If non-empty, write log files in this directory
204
205
206       --logtostderr=true
207           log to standard error instead of files
208
209
210       --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
211           Comma-separated list of files to  check  for  machine-id.  Use  the
212       first one that exists.
213
214
215       --match-server-version=false
216           Require server version to match client version
217
218
219       -n, --namespace=""
220           If present, the namespace scope for this CLI request
221
222
223       --request-timeout="0"
224           The  length  of  time  to  wait before giving up on a single server
225       request. Non-zero values should contain a corresponding time unit (e.g.
226       1s, 2m, 3h). A value of zero means don't timeout requests.
227
228
229       -s, --server=""
230           The address and port of the Kubernetes API server
231
232
233       --stderrthreshold=2
234           logs at or above this threshold go to stderr
235
236
237       --storage_driver_buffer_duration=0
238           Writes  in  the  storage driver will be buffered for this duration,
239       and committed to the non memory backends as a single transaction
240
241
242       --storage_driver_db="cadvisor"
243           database name
244
245
246       --storage_driver_host="localhost:8086"
247           database host:port
248
249
250       --storage_driver_password="root"
251           database password
252
253
254       --storage_driver_secure=false
255           use secure connection with database
256
257
258       --storage_driver_table="stats"
259           table name
260
261
262       --storage_driver_user="root"
263           database username
264
265
266       --token=""
267           Bearer token for authentication to the API server
268
269
270       --user=""
271           The name of the kubeconfig user to use
272
273
274       -v, --v=0
275           log level for V logs
276
277
278       --version=false
279           Print version information and quit
280
281
282       --vmodule=
283           comma-separated list of pattern=N settings for  file-filtered  log‐
284       ging
285
286
287

EXAMPLE

289                # Check to see if I can create pods in any namespace
290                oc auth can-i create pods --all-namespaces
291
292                # Check to see if I can list deployments in my current namespace
293                oc auth can-i list deployments.extensions
294
295                # Check to see if I can do everything in my current namespace ("*" means all)
296                oc auth can-i '*' '*'
297
298                # Check to see if I can get the job named "bar" in namespace "foo"
299                oc auth can-i list jobs.batch/bar -n foo
300
301                # Check to see if I can read pod logs
302                oc auth can-i get pods --subresource=log
303
304                # Check to see if I can access the URL /logs/
305                oc auth can-i get /logs/
306
307
308
309

SEE ALSO

311       oc-auth(1),
312
313
314

HISTORY

316       June 2016, Ported from the Kubernetes man-doc generator
317
318
319
320Openshift                  Openshift CLI User Manuals               OC AUTH(1)
Impressum