Skip to content
Latchkey

kubectl auth can-i: Command Reference for CI/CD

Preflight RBAC: confirm CI may do a thing before it tries.

kubectl auth can-i answers whether the current credentials are allowed to perform a verb on a resource, without performing it. It is a clean RBAC preflight for a deploy job so a permission gap fails early with a clear message. This reference covers it.

Common flags and usage

  • auth can-i <verb> <resource>: yes/no for the current user
  • auth can-i <verb> <resource> -n <ns>: scope to a namespace
  • --list: list every permission the current credentials hold
  • --as <user> / --as-group: check on behalf of another subject
  • Exits 0 for yes, non-zero for no (script-friendly)

Example

shell
for verb in get create patch; do
  kubectl auth can-i $verb deployments -n prod >/dev/null \
    || { echo "missing $verb on deployments"; exit 1; }
done

In CI

Run can-i checks at the top of a deploy job so a missing RBAC binding fails with a precise message instead of a confusing Forbidden mid-deploy. The exit code is scriptable; auth can-i --list documents exactly what the pipeline service account can do.

Key takeaways

  • auth can-i is a non-destructive RBAC preflight with a usable exit code.
  • --list enumerates the service account permissions for auditing.
  • Preflighting turns a mid-deploy Forbidden into an early, clear failure.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →