When we work with a Kubernetes cluster, it happends that we don't remember if a user or service account has a specific right.
So, to help us to not search in all the RBAC definition file, we can use the
kubectl auth can-i command.
kubectl auth can-i [action] [resource]
With this template, you can check if the current user is able to the action noted in the command on the resource type noted in the command.
Example to check if the current user can create a pod :
kubectl auth can-i create pod
The result will be
yes if you have the permissions, or
no if you haven't.
The current command will ask for the permissions for cluster-scoped resources or for namespaced-scoped resources in the default namespace.
If you want to ask the rights in a particular namespace, you just have to add the option
--namespace [name of the namespace].
If you want to check the permissions for another user, you can impersonnate it by adding the option
--as at the end of the command, followed by the name of the user.
Example to check if toto can list deployments:
kubectl auth can-i list deployment --as toto
To impersonnate a service account, use the same
--as option but with the following template :
system:serviceaccount:[namespace]:[nom service account].
Example to check if the service account titi in the test namespace can delete configmap :
kubectl auth can-i delete configmap --as system:serviceaccount:test:titi
And that's it! Really easy to use and can same some time!
I hope it will help you and if you have any questions (there are not dumb questions) or some points are not clear for you, don't hesitate to add your question in the comments or to contact me directly on LinkedIn.