Analytiks Logo
Back to Tech Corner
DevOps

Mini Article – Checking Access - Jul 2022

Kubernetes How To: Checking Access

The following shows what user Ed could do in the default namespace and the dev namespace, using the auth can-i subcommand to query (commands and outputs):

$ kubectl auth can-i create deployments
yes
$ kubectl auth can-i create deployments --as john
no
$ kubectl auth can-i create deployments --as john --namespace dev
yes

There are currently three APIs which can be applied to set who and what can be queried:

  • SelfSubjectAccessReview - Access review for any user, helpful for delegating to others.
  • LocalSubjectAccessReview - Review is restricted to a specific namespace.
  • SelfSubjectRulesReview - A review which shows allowed actions for a user within a particular namespace.

The use of reconcile allows a check of authorization necessary to create an object from a file. No output indicates the creation would be allowed.

DevOps Mini Articles Series

Jul 2022: Checking AccessAug 2022: Annotations →Sep 2022: Deployment Config →Oct 2022: Simple Pod →Nov 2022: API Access →
View All Articles