KUBERNETES(1)(kubernetes)                            KUBERNETES(1)(kubernetes)

Eric Paris Jan 2015


NAME
       kubectl auth can-i - Check whether an action is allowed



SYNOPSIS
       kubectl auth can-i [OPTIONS]



DESCRIPTION
       Check whether an action is allowed.


       VERB is a logical Kubernetes API verb like 'get', 'list', 'watch',
       'delete', etc. TYPE is a Kubernetes resource. Shortcuts and groups will
       be resolved. NONRESOURCEURL is a partial URL that starts with "/". NAME
       is the name of a particular Kubernetes resource. This command pairs
       nicely with impersonation. See --as global flag.



OPTIONS
       -A, --all-namespaces=false    If true, check the specified action in
       all namespaces.


       --list=false   If true, prints all allowed actions.


       --no-headers=false  If true, prints allowed actions without headers


       -q, --quiet=false   If true, suppress output and just return the exit
       code.


       --subresource=""    SubResource such as pod/log or deployment/scale



OPTIONS INHERITED FROM PARENT COMMANDS
       --as=""   Username to impersonate for the operation. User could be a
       regular user or a service account in a namespace.


       --as-group=[]  Group to impersonate for the operation, this flag can be
       repeated to specify multiple groups.


       --as-uid=""    UID to impersonate for the operation.


       --azure-container-registry-config=""    Path to the file containing
       Azure container registry configuration information.


       --cache-dir="/home/username/.kube/cache"     Default cache directory


       --certificate-authority=""    Path to a cert file for the certificate
       authority


       --client-certificate=""  Path to a client certificate file for TLS


       --client-key=""     Path to a client key file for TLS


       --cluster=""   The name of the kubeconfig cluster to use


       --context=""   The name of the kubeconfig context to use


       --disable-compression=false   If true, opt-out of response compression
       for all requests to the server


       --insecure-skip-tls-verify=false   If true, the server's certificate
       will not be checked for validity. This will make your HTTPS connections
       insecure


       --kubeconfig=""     Path to the kubeconfig file to use for CLI
       requests.


       --match-server-version=false  Require server version to match client
       version


       -n, --namespace=""  If present, the namespace scope for this CLI
       request


       --password=""  Password for basic authentication to the API server


       --profile="none"    Name of profile to capture. One of
       (none|cpu|heap|goroutine|threadcreate|block|mutex)


       --profile-output="profile.pprof"   Name of the file to write the
       profile to


       --request-timeout="0"    The length of time to wait before giving up on
       a single server request. Non-zero values should contain a corresponding
       time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout
       requests.


       -s, --server=""     The address and port of the Kubernetes API server


       --tls-server-name=""     Server name to use for server certificate
       validation. If it is not provided, the hostname used to contact the
       server is used


       --token=""     Bearer token for authentication to the API server


       --user=""      The name of the kubeconfig user to use


       --username=""  Username for basic authentication to the API server


       --version=false     --version, --version=raw prints version information
       and quits; --version=vX.Y.Z... sets the reported version


       --warnings-as-errors=false    Treat warnings received from the server
       as errors and exit with a non-zero exit code



EXAMPLE

                # Check to see if I can create pods in any namespace
                kubectl auth can-i create pods --all-namespaces

                # Check to see if I can list deployments in my current namespace
                kubectl auth can-i list deployments.apps

                # Check to see if service account "foo" of namespace "dev" can list pods
                # in the namespace "prod".
                # You must be allowed to use impersonation for the global option "--as".
                kubectl auth can-i list pods --as=system:serviceaccount:dev:foo -n prod

                # Check to see if I can do everything in my current namespace ("*" means all)
                kubectl auth can-i '*' '*'

                # Check to see if I can get the job named "bar" in namespace "foo"
                kubectl auth can-i list jobs.batch/bar -n foo

                # Check to see if I can read pod logs
                kubectl auth can-i get pods --subresource=log

                # Check to see if I can access the URL /logs/
                kubectl auth can-i get /logs/

                # List all allowed actions in namespace "foo"
                kubectl auth can-i --list --namespace=foo




SEE ALSO
       kubectl-auth(1),



HISTORY
       January 2015, Originally compiled by Eric Paris (eparis at redhat dot
       com) based on the kubernetes source material, but hopefully they have
       been automatically generated since!

Manuals                              User            KUBERNETES(1)(kubernetes)