James's Ramblings

Kubernetes: Access

Created: March 20, 2021

Documentation: Authorization Overview

  • The kubectl auth can-i command can be used to check access levels of users in different namespaces.

  • This command uses the SelfSubjectAccessReview API to determine if a user is authorized to peform an action.

  • If no namespace argument is given, the implicit default namespace is used.

  • If no user is given, administrator is used.

Examples:

$ kubectl auth can-i create deployments
yes 

$ kubectl auth can-i create deployments --as bob
no 

$ kubectl auth can-i create deployments --as bob --namespace developer
yes

  • SelfSubjectAccessReview is part of the authorization.k8s.io API group, which exposes the API server authorization to external services.

  • LocalSubjectAccessReview and SelfSubjectRulesReview are also relevant APIs in the same group.

  • All these APIs can be queried directly using kubectl and YAML/JSON. See the Kubernetes documentation link at the top of the page for details.