auth
Inspect if you are authorized to perform an action on / with the Kubernetes resources.
Command
$ kubectl auth
Sub Commands
- can-i
- reconcile
can-i
Check whether an action is allowed.
VERB is a logical Kubernetes API verb like ‘get’, ‘list’, ‘watch’, ‘delete’, etc. TYPE is a Kubernetes resource. Shortcuts and groups will be resolved. NONRESOURCEURL is a partial URL starts with “/”. NAME is the name of a particular Kubernetes resource.
Command
$ kubectl auth can-i VERB [TYPE | TYPE/NAME | NONRESOURCEURL]
Example I
Command
$ kubectl auth can-i create pods --all-namespaces
yes
Notice that the command yeilds yes as result - which means you are allowed to create pods on all possible namespaces avaiable.
Example II
Command
$ kubectl auth can-i list deployments.apps
yes
reconcile
Reconciles rules for RBAC Role, RoleBinding, ClusterRole, and ClusterRole binding objects.
Missing objects are created, and the containing namespace is created for namespaced objects, if required.
Existing roles are updated to include the permissions in the input objects, and remove extra permissions if –remove-extra-permissions is specified.
Existing bindings are updated to include the subjects in the input objects, and remove extra subjects if –remove-extra-subjects is specified.
This is preferred to ‘apply’ for RBAC resources so that semantically-aware merging of rules and subjects is done.
Command
$ kubectl auth reconcile -f FILENAME
Example
TODO
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.