Checking Permissions with kubectl auth can-i
Before running a command that might fail due to missing permissions, you can check whether you or another user has the required access. The kubectl auth can-i command queries the Kubernetes authorization layer directly.
Basic Permission Checks
# Can I create deployments in the current namespace?
kubectl auth can-i create deployments
# Output: yes
# Can I delete pods in the production namespace?
kubectl auth can-i delete pods -n production
# Output: no
# Can I get nodes (cluster-scoped resource)?
kubectl auth can-i get nodes
# Output: yes
The command returns yes or no and sets the exit code accordingly, making it useful in scripts.
Checking Permissions for Other Users
Cluster admins can test what another user or ServiceAccount is allowed to do using the --as flag:
# Check if user jane can list pods
kubectl auth can-i list pods --as=jane
# Check if a ServiceAccount can create secrets
kubectl auth can-i create secrets \
--as=system:serviceaccount:default:my-sa
# Impersonate a group
kubectl auth can-i delete deployments --as=jane \
--as-group=dev-team
Listing All Permissions
The --list flag shows every action a user can perform:
# List all permissions for the current user
kubectl auth can-i --list
# Output:
# Resources Non-Resource URLs Resource Names Verbs
# pods [] [] [get list watch]
# deployments [] [] [get list]
# ...
# List permissions for a specific user in a namespace
kubectl auth can-i --list --as=jane -n development
Using in Scripts
# Exit if user lacks permission
if ! kubectl auth can-i create deployments -n production; then
echo "Error: insufficient permissions to deploy to production"
exit 1
fi
Key Takeaways
auth can-ichecks permissions without attempting the actual operation- The
--asflag lets admins test permissions for other users or ServiceAccounts --listshows all allowed actions in a namespace- The exit code makes it easy to use in automation scripts