When we work with a Kubernetes cluster, it happends that we don't remember if a user or service account has a specific right.
So, to help us to not search in all the RBAC definition file, we can use the kubectl auth can-i
command.
Command details
Current user
kubectl auth can-i [action] [resource]
With this template, you can check if the current user is able to the action noted in the command on the resource type noted in the command.
Example to check if the current user can create a pod :
kubectl auth can-i create pod
The result will be yes
if you have the permissions, or no
if you haven't.
Define namespace
The current command will ask for the permissions for cluster-scoped resources or for namespaced-scoped resources in the default namespace.
If you want to ask the rights in a particular namespace, you just have to add the option --namespace [name of the namespace]
.
Impersonnate another user
If you want to check the permissions for another user, you can impersonnate it by adding the option --as
at the end of the command, followed by the name of the user.
Example to check if toto can list deployments:
kubectl auth can-i list deployment --as toto
Impersonnate a service account
To impersonnate a service account, use the same --as
option but with the following template : system:serviceaccount:[namespace]:[nom service account]
.
Example to check if the service account titi in the test namespace can delete configmap :
kubectl auth can-i delete configmap --as system:serviceaccount:test:titi
References
And that's it! Really easy to use and can same some time!
I hope it will help you and if you have any questions (there are not dumb questions) or some points are not clear for you, don't hesitate to add your question in the comments or to contact me directly on LinkedIn.
Top comments (0)