kubectl auth can-i¶

kubectl auth can-i is a diagnostic subcommand used to verify whether a user or service account has specific permissions within the Kubernetes cluster.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]

Function¶

This command performs a quick query against the API server's authorization logic to determine if a specific action is permitted.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md] It simulates an API request and checks the rules defined in the authorization mode (such as [[RBAC]]) to see if the request would be allowed or denied.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]

This tool is particularly useful for debugging [[Role]] and [[RoleBinding]] configurations to ensure they grant the intended access without leaving the cluster in a broken state.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]

Usage Syntax¶

The general syntax involves specifying the verb (action) and the resource type:

[kubectl](<./kubectl.md>) auth can-i [VERB] [RESOURCE] --namespace [NAMESPACE]

For example, to check if the current user can create deployments in the default namespace:^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]

[kubectl](<./kubectl.md>) auth can-i create deployments --namespace default
# Output: yes

Kubernetes
[[RBAC]]
[[RoleBinding]]

Sources¶

^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]

kubectl auth can-i¶

Function¶

Usage Syntax¶

Related Concepts¶

Sources¶