kubectl Auth Can I Examples¶

Introduction¶

This guide explains kubectl auth can i examples with practical kubectl commands, realistic output, and production-focused checks. Security and RBAC changes must be small, testable, and namespace-aware.

Why This Matters¶

Overbroad RBAC, privileged pods, writable root filesystems, and unrestricted network access turn small application bugs into cluster risk. Production clusters need least privilege and clear verification.

Example Configuration¶

apiVersion: apps/v1
kind: Deployment
metadata:
  name: web
  namespace: app
spec:
  replicas: 3
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
    spec:
      containers:
      - name: web
        image: nginx:1.27
        ports:
        - containerPort: 80

Step-by-Step Configuration¶

kubectl get pods -A
kubectl get events -A --sort-by=.lastTimestamp
kubectl explain pod.spec.containers
kubectl get all -n app
kubectl describe deployment web -n app

Expected output:

NAMESPACE   NAME                     READY   STATUS    RESTARTS   AGE
app         pod/web-7d9f8c-abcde     1/1     Running   0          2d

Verification¶

kubectl auth can-i get pods -n app --as system:serviceaccount:app:backend
kubectl describe rolebinding -n app
kubectl get events -n app --sort-by=.lastTimestamp

Security Best Practices¶

• Grant verbs only for the resources an application actually needs.
• Prefer namespace-scoped Roles before ClusterRoles.
• Run containers as non-root and drop unnecessary Linux capabilities.
• Protect Secrets with RBAC and avoid printing them in logs.

Common Mistakes¶

• Binding cluster-admin to application service accounts.
• Debugging Forbidden errors without checking the exact service account identity.
• Assuming Pod Security, RBAC, and NetworkPolicy solve the same problem.

Troubleshooting¶

Use kubectl auth can-i with the exact service account, namespace, verb, and resource. Then inspect RoleBindings, admission events, pod security settings, and image pull credentials.

Related Guides¶

• Least Privilege RBAC Kubernetes
• Serviceaccount Explained
• Kubernetes Security Checklist

Summary¶

Kubernetes security works best as layered controls: RBAC for API access, pod security for runtime boundaries, NetworkPolicy for traffic, and careful Secret handling for credentials.