K
Q

What is the syntax for kubectl can-i command?

7/3/2019

How do I use the can-i command? It does not seem to be completely documented here:

https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#-em-can-i-em- (no mention of --as).

All the below results seem nonsensical:

kubectl auth can-i list pod --as=default3ueoaueo --as-group=system:authenticated --as-group=system:masters
yes

The above will return yes for anything after --as= - any user specified here.

On the other hand, the default user account (or any other I've tried) seems to have no permission at all:

kubectl auth can-i list pod --as=default                                                                  
no

and

kubectl auth can-i list pod --as=default:serviceaccount:default
no

And according to https://github.com/kubernetes/kubernetes/issues/73123 we just add --as-group=system:authenticated but that doesn't work either:

kubectl auth can-i list pod --as=serviceaccount:default  --as-group=system:authenticated 
no
-- Chris Stryczynski
kubernetes

Similar Questions

Can Airflow Macros be passed to the GKEPod operator parameters?
In Kubernetes, Kafka Connect deployment is unable to connect to Kafka Broker service (diagram inside)
Kubernetes with hyperkube using C2S aws-sdk-go
How to deserialize an AdmissionRequest.Raw object into a Kubernetes Object without knowing it's GroupVersionKind?
Prometheus/Graphana Alerting on pod stuck in pending state
Create namespace and secret, do patch only if not existing
fluent-bit: can you use tail to parse docker logs that are not JSON

1 Answer

7/4/2019

The usage of '--as' argument with kubectl command is known as "User impersonation", and it's documented in official documentation here.

If you are trying to impersonate user as an API resource like 'serviceaccounts',
the proper syntax is: '--as=system:serviceaccount:kube-system:default'

-- Nepomucen
Source: StackOverflow