1KUBERNETES(1)(kubernetes)                            KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7

NAME

9       kubectl auth can-i - Check whether an action is allowed
10
11
12

SYNOPSIS

14       kubectl auth can-i [OPTIONS]
15
16
17

DESCRIPTION

19       Check whether an action is allowed.
20
21
22       VERB  is  a  logical  Kubernetes  API verb like 'get', 'list', 'watch',
23       'delete', etc. TYPE is a Kubernetes resource. Shortcuts and groups will
24       be resolved. NONRESOURCEURL is a partial URL that starts with "/". NAME
25       is the name of a particular Kubernetes  resource.  This  command  pairs
26       nicely with impersonation. See --as global flag.
27
28
29

OPTIONS

31       -A,  --all-namespaces=false      If true, check the specified action in
32       all namespaces.
33
34
35       --list=false      If true, prints all allowed actions.
36
37
38       --no-headers=false      If true, prints allowed actions without headers
39
40
41       -q, --quiet=false      If true, suppress output  and  just  return  the
42       exit code.
43
44
45       --subresource=""      SubResource such as pod/log or deployment/scale
46
47
48

OPTIONS INHERITED FROM PARENT COMMANDS

50       --as=""      Username to impersonate for the operation. User could be a
51       regular user or a service account in a namespace.
52
53
54       --as-group=[]      Group to impersonate for the  operation,  this  flag
55       can be repeated to specify multiple groups.
56
57
58       --as-uid=""      UID to impersonate for the operation.
59
60
61       --azure-container-registry-config=""       Path  to the file containing
62       Azure container registry configuration information.
63
64
65       --cache-dir="/builddir/.kube/cache"      Default cache directory
66
67
68       --certificate-authority=""      Path to a cert file for the certificate
69       authority
70
71
72       --client-certificate=""      Path to a client certificate file for TLS
73
74
75       --client-key=""      Path to a client key file for TLS
76
77
78       --cluster=""      The name of the kubeconfig cluster to use
79
80
81       --context=""      The name of the kubeconfig context to use
82
83
84       --disable-compression=false       If true, opt-out of response compres‐
85       sion for all requests to the server
86
87
88       --insecure-skip-tls-verify=false      If true, the server's certificate
89       will not be checked for validity. This will make your HTTPS connections
90       insecure
91
92
93       --kubeconfig=""      Path to the kubeconfig file to  use  for  CLI  re‐
94       quests.
95
96
97       --match-server-version=false        Require  server  version  to  match
98       client version
99
100
101       -n, --namespace=""      If present, the namespace scope  for  this  CLI
102       request
103
104
105       --password=""      Password for basic authentication to the API server
106
107
108       --profile="none"         Name   of   profile   to   capture.   One   of
109       (none|cpu|heap|goroutine|threadcreate|block|mutex)
110
111
112       --profile-output="profile.pprof"      Name of the  file  to  write  the
113       profile to
114
115
116       --request-timeout="0"       The length of time to wait before giving up
117       on a single server request. Non-zero values  should  contain  a  corre‐
118       sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
119       out requests.
120
121
122       -s, --server=""      The address and port of the Kubernetes API server
123
124
125       --tls-server-name=""      Server name to  use  for  server  certificate
126       validation.  If  it  is  not provided, the hostname used to contact the
127       server is used
128
129
130       --token=""      Bearer token for authentication to the API server
131
132
133       --user=""      The name of the kubeconfig user to use
134
135
136       --username=""      Username for basic authentication to the API server
137
138
139       --version=false      Print version information and quit
140
141
142       --warnings-as-errors=false      Treat warnings received from the server
143       as errors and exit with a non-zero exit code
144
145
146

EXAMPLE

148                # Check to see if I can create pods in any namespace
149                kubectl auth can-i create pods --all-namespaces
150
151                # Check to see if I can list deployments in my current namespace
152                kubectl auth can-i list deployments.apps
153
154                # Check to see if service account "foo" of namespace "dev" can list pods
155                # in the namespace "prod".
156                # You must be allowed to use impersonation for the global option "--as".
157                kubectl auth can-i list pods --as=system:serviceaccount:dev:foo -n prod
158
159                # Check to see if I can do everything in my current namespace ("*" means all)
160                kubectl auth can-i '*' '*'
161
162                # Check to see if I can get the job named "bar" in namespace "foo"
163                kubectl auth can-i list jobs.batch/bar -n foo
164
165                # Check to see if I can read pod logs
166                kubectl auth can-i get pods --subresource=log
167
168                # Check to see if I can access the URL /logs/
169                kubectl auth can-i get /logs/
170
171                # List all allowed actions in namespace "foo"
172                kubectl auth can-i --list --namespace=foo
173
174
175
176

SEE ALSO

178       kubectl-auth(1),
179
180
181

HISTORY

183       January  2015,  Originally compiled by Eric Paris (eparis at redhat dot
184       com) based on the kubernetes source material, but hopefully  they  have
185       been automatically generated since!
186
187
188
189Manuals                              User            KUBERNETES(1)(kubernetes)
Impressum