datumctl auth can-i
Check whether an action is allowed
Synopsis
Section titled “Synopsis”Check whether an action is allowed.
VERB is a logical Kubernetes API verb like ‘get’, ‘list’, ‘watch’, ‘delete’, etc. TYPE is a Kubernetes resource. Shortcuts and groups will be resolved. NONRESOURCEURL is a partial URL that starts with ”/”. NAME is the name of a particular Kubernetes resource. This command pairs nicely with impersonation. See —as global flag.
datumctl auth can-i VERB [TYPE | TYPE/NAME | NONRESOURCEURL]Examples
Section titled “Examples” # Check to see if I can create pods in any namespace kubectl auth can-i create pods --all-namespaces
# Check to see if I can list deployments in my current namespace kubectl auth can-i list deployments.apps
# Check to see if service account "foo" of namespace "dev" can list pods in the namespace "prod" # You must be allowed to use impersonation for the global option "--as" kubectl auth can-i list pods --as=system:serviceaccount:dev:foo -n prod
# Check to see if I can do everything in my current namespace ("*" means all) kubectl auth can-i '*' '*'
# Check to see if I can get the job named "bar" in namespace "foo" kubectl auth can-i list jobs.batch/bar -n foo
# Check to see if I can read pod logs kubectl auth can-i get pods --subresource=log
# Check to see if I can access the URL /logs/ kubectl auth can-i get /logs/
# Check to see if I can approve certificates.k8s.io kubectl auth can-i approve certificates.k8s.io
# List all allowed actions in namespace "foo" kubectl auth can-i --list --namespace=fooOptions
Section titled “Options” -A, --all-namespaces If true, check the specified action in all namespaces. -h, --help help for can-i --list If true, prints all allowed actions. --no-headers If true, prints allowed actions without headers -q, --quiet If true, suppress output and just return the exit code. --subresource string SubResource such as pod/log or deployment/scaleOptions inherited from parent commands
Section titled “Options inherited from parent commands” --as string Username to impersonate for the operation. User could be a regular user or a service account in a namespace. --as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups. --as-uid string UID to impersonate for the operation. --as-user-extra stringArray User extras to impersonate for the operation, this flag can be repeated to specify multiple values for the same key. --certificate-authority string Path to a cert file for the certificate authority --disable-compression If true, opt-out of response compression for all requests to the server --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) -n, --namespace string If present, the namespace scope for this CLI request --organization string organization name --platform-wide access the platform root instead of a project or organization control plane --project string project name --request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0") -s, --server string The address and port of the Kubernetes API server --tls-server-name string Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used --token string Bearer token for authentication to the API server --user string The name of the kubeconfig user to use -v, --v Level number for the log level verbosity --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging (only works for the default text log format)See also
Section titled “See also”- datumctl auth - Authenticate with Datum Cloud