Checking Access

While there is more detail on security in a later chapter, it is helpful to check the current authorizations, both as an administrator, as well as another user. The following shows what user bob could do in the default namespace and the developer namespace, using the auth can-i subcommand to query:

$ kubectl auth can-i create deployments

yes

$ kubectl auth can-i create deployments --as bob

no

$ kubectl auth can-i create deployments --as bob --namespace developer

yes

There are currently three APIs which can be applied to set who and what can be queried:

• SelfSubjectAccessReview​

  Access review for any user, helpful for delegating to others.

• LocalSubjectAccessReview

  ​Review is restricted to a specific namespace.

• SelfSubjectRulesReview​

  A review which shows allowed actions for a user within a particular namespace.

The use of reconcile allows a check of authorization necessary to create an object from a file. No output indicates the creation would be allowed.