DEV Community

Cover image for Check user RBAC rights
Maxime Guilbert
Maxime Guilbert

Posted on

Check user RBAC rights

When we work with a Kubernetes cluster, it happends that we don't remember if a user or service account has a specific right.

So, to help us to not search in all the RBAC definition file, we can use the kubectl auth can-i command.

Command details

Current user

kubectl auth can-i [action] [resource]
Enter fullscreen mode Exit fullscreen mode

With this template, you can check if the current user is able to the action noted in the command on the resource type noted in the command.

Example to check if the current user can create a pod :

kubectl auth can-i create pod
Enter fullscreen mode Exit fullscreen mode

The result will be yes if you have the permissions, or no if you haven't.

Define namespace

The current command will ask for the permissions for cluster-scoped resources or for namespaced-scoped resources in the default namespace.

If you want to ask the rights in a particular namespace, you just have to add the option --namespace [name of the namespace].

Impersonnate another user

If you want to check the permissions for another user, you can impersonnate it by adding the option --as at the end of the command, followed by the name of the user.

Example to check if toto can list deployments:

kubectl auth can-i list deployment --as toto
Enter fullscreen mode Exit fullscreen mode

Impersonnate a service account

To impersonnate a service account, use the same --as option but with the following template : system:serviceaccount:[namespace]:[nom service account].

Example to check if the service account titi in the test namespace can delete configmap :

kubectl auth can-i delete configmap --as system:serviceaccount:test:titi
Enter fullscreen mode Exit fullscreen mode


And that's it! Really easy to use and can same some time!

I hope it will help you and if you have any questions (there are not dumb questions) or some points are not clear for you, don't hesitate to add your question in the comments or to contact me directly on LinkedIn.

Top comments (0)