oc Auth Can I Examples¶

Introduction¶

RBAC decides which OpenShift users and service accounts can act on resources. oc auth can-i is the quickest safe test before changing RoleBindings.

When You Need This Command¶

Use this command when you need to inspect, change, or verify OpenShift resources from the terminal without relying on the web console.

Syntax¶

oc <command> <resource> [name] -n <project>

Practical Examples¶

oc auth can-i get pods -n app

oc auth can-i create routes -n app --as=developer

oc get rolebinding -n app

oc describe rolebinding edit-developer -n app

Example output:

yes
no

Verification¶

oc auth can-i get pods -n app --as=developer

oc get rolebinding -n app

oc describe rolebinding edit-developer -n app

Common Mistakes¶

• Granting cluster-admin for a namespace-scoped problem.
• Testing permissions as yourself instead of the affected service account.
• Forgetting that SCC use is also authorized through RBAC.

Production Notes¶

Run read-only commands first, check the active project, and prefer declarative manifests for repeatable changes.

Example YAML¶

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: edit-developer
  namespace: app
subjects:
  - kind: User
    name: developer
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io

Quick Checklist¶

• Confirm the active project.
• Inspect the exact object named in the error.
• Read recent events.
• Apply one focused fix.
• Verify status after the change.

Related Guides¶

• oc Commands Cheat Sheet
• oc Get Events Examples

Summary¶

oc Auth Can I Examples is most useful when paired with verification. Check the project, run the command against the intended object, and confirm the resulting OpenShift state.