Validate RBAC permissions with kubectl auth can-i

2 min read | by Jordi Prats

When configuring RBAC permissions we might want to make sure we are configuring them correctly by checking what an user (or ServiceAccount) can do. We can use kubectl auth can-i for this.

To be able to test whether we can delete a Pod there's not need to actually perform that action, we can use kubectl auth can-i delete pod to check if we would be able to execute it:

$ kubectl auth can-i delete pod
yes

To be able to test RBAC for another user, if we have impersonate permissions, we can use the --as and --as-group options to test RBAC permissions. To test a ServiceAccount has we can do it like this:

$ kubectl auth can-i get secretstore --as system:serviceaccount:pet2cattle:test-service-account
no

After adding the permissions we can check again and see the difference:

$ kubectl auth can-i get secretstore --as system:serviceaccount:pet2cattle:test-service-account
yes

For a user, we'll have to specify both the actual user and the group it belongs:

$ kubectl auth can-i create argocd --as demo-user --as-group demo-group
yes

Posted on 29/11/2022