auth
Inspect authorization
Usage
$ kubectl auth
can-i
Check to see if I can create pods in any namespace
kubectl auth can-i create pods --all-namespaces
Check to see if I can list deployments in my current namespace
kubectl auth can-i list deployments.apps
Check to see if I can do everything in my current namespace (“*“ means all)
kubectl auth can-i '*' '*'
Check to see if I can get the job named “bar” in namespace “foo”
kubectl auth can-i list jobs.batch/bar -n foo
Check to see if I can read pod logs
kubectl auth can-i get pods --subresource=log
Check to see if I can access the URL /logs/
kubectl auth can-i get /logs/
List all allowed actions in namespace “foo”
kubectl auth can-i --list --namespace=foo
Check whether an action is allowed.
VERB is a logical Kubernetes API verb like ‘get’, ‘list’, ‘watch’, ‘delete’, etc. TYPE is a Kubernetes resource. Shortcuts and groups will be resolved. NONRESOURCEURL is a partial URL that starts with “/“. NAME is the name of a particular Kubernetes resource.
Usage
$ kubectl auth can-i VERB [TYPE | TYPE/NAME | NONRESOURCEURL]
Flags
Name | Shorthand | Default | Usage |
---|---|---|---|
all-namespaces | A | false | If true, check the specified action in all namespaces. |
list | false | If true, prints all allowed actions. | |
no-headers | false | If true, prints allowed actions without headers | |
quiet | q | false | If true, suppress output and just return the exit code. |
subresource | SubResource such as pod/log or deployment/scale |
reconcile
Reconcile RBAC resources from a file
kubectl auth reconcile -f my-rbac-rules.yaml
Reconciles rules for RBAC role, role binding, cluster role, and cluster role binding objects.
Missing objects are created, and the containing namespace is created for namespaced objects, if required.
Existing roles are updated to include the permissions in the input objects, and remove extra permissions if —remove-extra-permissions is specified.
Existing bindings are updated to include the subjects in the input objects, and remove extra subjects if —remove-extra-subjects is specified.
This is preferred to ‘apply’ for RBAC resources so that semantically-aware merging of rules and subjects is done.
Usage
$ kubectl auth reconcile -f FILENAME
Flags
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
dry-run | none | Must be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
filename | f | [] | Filename, directory, or URL to files identifying the resource to reconcile. |
kustomize | k | Process the kustomization directory. This flag can’t be used together with -f or -R. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
recursive | R | false | Process the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory. |
remove-extra-permissions | false | If true, removes extra permissions added to roles | |
remove-extra-subjects | false | If true, removes extra subjects added to rolebindings | |
show-managed-fields | false | If true, keep the managedFields when printing objects in JSON or YAML format. | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |