Kubectl Tip: Verify Service Account Permissions With can-i
Does my Kubernetes service account have delete permissions? π€
Here is a simple method to validate if a kubernetes service account has specific permission.
Let's say, delete pods, list namespaces, delete deployments, etc.
With the kubectlcan-i
flag, you can check for allowed access for a service account.
For example, if you want to check if the service account (api-service-account
) in the devops-tools
namespace has access to delete deployments, here is what you can do.
kubectl auth can-i delete deployments --as=system:serviceaccount:devops-tools:api-service-account
The output is either yes or no.
β Yes -> service account has permissions
β No -> It doesn't