Stretching as far back as (in September of 2017), Kubernetes has supported a fine-grained access control mechanism called RBAC.  Nothing gets done via the Kubernetes API that isn't governed by some sort permission or another, and there are a lot of them. version 1.8 Couple that with per-deployment service accounts, named user access credentials, and project-specific namespaces, and you've got the makings of a complex authorization scenario. At times, you'll wonder precisely which permissions you, or a service account you use, have been granted – that's when you should reach for . kubectl auth can-i To see everything you can do: $ kubectl auth can-i --list
Resources                                       Non-Resource URLs   Resource Names   Verbs
*.* selfsubjectaccessreviews.authorization.k8s.io selfsubjectrulesreviews.authorization.k8s.io [] [] [*] [*] [] [*] [] [] [create] [] [] [create] [/api/*] [] [get] [/api] [] [get] [/apis/*] [] [get] [/apis] [] [get] [/healthz] [] [get] [/healthz] [] [get] [/livez] [] [get] [/livez] [] [get] [/openapi/*] [] [get] [/openapi] [] [get] [/readyz] [] [get] [/readyz] [] [get] [/version/] [] [get] [/version/] [] [get] [/version] [] [get] [/version] [] [get] You can also just ask the API to see if a given action is allowed: $ kubectl auth can-i pods -n $ kubectl auth can-i pods -n kube-system $ echo $?
0 get default yes get yes These commands exit 0 if such access would be allowed, and 1 if not, making them handy for use inside of shell scripts or other automation: ! kubectl auth can-i create secrets; then
  echo >& fi if 2 "You cannot create secrets.  Please contact your k8s admin." exit 4 # etc. Check out the Video! Want more?  Curious what happens when an unprivileged is involved?  Then check out the video and learn you some access control! ServiceAccount Previously published at https://starkandwayne.com/blog/silly-kubectl-trick-3-what-do-i-have-permissions-for/

Kubernetes Explained Simply: #3 What Do I Have Permissions For?

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Kubernetes Explained Simply: #1 Kubectl Hack

105 Stories To Learn About K8s

10 Best Practices for Using Kubernetes Network Policies

1 Stories To Learn About Weekly Sponsor

3 Free Ways to Learn Kubernetes and Red Hat OpenShift

21 Resources and Tutorials to Learn Kubernetes

Kubernetes Explained Simply: #1 Kubectl Hack

105 Stories To Learn About K8s

10 Best Practices for Using Kubernetes Network Policies

1 Stories To Learn About Weekly Sponsor

3 Free Ways to Learn Kubernetes and Red Hat OpenShift

21 Resources and Tutorials to Learn Kubernetes

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps