kubectl auth can-i: Command Reference for CI/CD
Preflight RBAC: confirm CI may do a thing before it tries.
kubectl auth can-i answers whether the current credentials are allowed to perform a verb on a resource, without performing it. It is a clean RBAC preflight for a deploy job so a permission gap fails early with a clear message. This reference covers it.
Common flags and usage
- auth can-i <verb> <resource>: yes/no for the current user
- auth can-i <verb> <resource> -n <ns>: scope to a namespace
- --list: list every permission the current credentials hold
- --as <user> / --as-group: check on behalf of another subject
- Exits 0 for yes, non-zero for no (script-friendly)
Example
shell
for verb in get create patch; do
kubectl auth can-i $verb deployments -n prod >/dev/null \
|| { echo "missing $verb on deployments"; exit 1; }
doneIn CI
Run can-i checks at the top of a deploy job so a missing RBAC binding fails with a precise message instead of a confusing Forbidden mid-deploy. The exit code is scriptable; auth can-i --list documents exactly what the pipeline service account can do.
Key takeaways
- auth can-i is a non-destructive RBAC preflight with a usable exit code.
- --list enumerates the service account permissions for auditing.
- Preflighting turns a mid-deploy Forbidden into an early, clear failure.
Related guides
kubectl Cheat Sheet: Commands for Everyday KubernetesA kubectl cheat sheet - get, describe, logs, apply, rollout, debug, and context commands for daily Kubernetes…
kubectl config use-context: Command Reference for CI/CDReference for kubectl config use-context: switch the active kubeconfig context in CI, verify with current-con…
kubectl apply: Command Reference for CI/CDReference for kubectl apply: declarative create-or-update from manifests, server-side apply, dry-run validati…
kubectl get: Command Reference for CI/CDReference for kubectl get: list resources, output formats, label and field selectors, jsonpath extraction, an…