kubectl-auth

Check if the current user can perform all actions on all resources in a specific namespace

$ kubectl auth can-i '*' '*' [[-n|--namespace]] [namespace]

$ kubectl auth can-i [verb] [resource] [[-n|--namespace]] [namespace]

$ kubectl auth can-i [verb] [resource] [[-n|--namespace]] [namespace] --as [user_or_sa]

$ kubectl auth can-i --list [[-n|--namespace]] [namespace]

kubectl auth <command> [options]

Examples of common commands:
kubectl auth login --provider oidc --cluster my-cluster --user my-user
kubectl auth configure --server https://my-k8s-api.com --ca-cert /path/to/ca.crt
kubectl auth token --cluster my-cluster --print

login
    Establishes a new authentication context, typically guiding the user through a login flow for a specified provider.

configure
    Configures a specific cluster or user authentication detail within the kubeconfig, such as server endpoint or CA certificates.

token
    Retrieves or generates an authentication token for a specified cluster or user.

refresh
    Refreshes expired authentication tokens or credentials for a specified cluster context.

--provider <name>
    Specifies the authentication provider (e.g., oidc, aws, azure, gcp).

--cluster <name>
    Identifies the target Kubernetes cluster context to configure or operate on.

--user <name>
    Specifies the user context name to create or update in the kubeconfig.

--kubeconfig <path>
    Specifies the path to the kubeconfig file to modify (defaults to ~/.kube/config).

--server <url>
    Sets the Kubernetes API server URL for a cluster configuration.

--ca-cert <path>
    Path to the cluster's Certificate Authority (CA) certificate file.

--insecure-skip-tls-verify
    If set, skips TLS certificate verification for the API server (use with caution).

--overwrite
    If specified, allows overwriting existing kubeconfig entries (context, user, cluster).

-h, --help
    Displays help information for the command or subcommand.

kubectl-auth (often implemented as a kubectl plugin or a helper script) provides a simplified interface for configuring and managing authentication to Kubernetes clusters. It aims to abstract away the complexities of various authentication mechanisms, such as OIDC, cloud provider IAM (e.g., AWS EKS, Azure AKS, GCP GKE), client certificates, or static tokens. Its primary function is to generate or update kubeconfig entries, allowing users to seamlessly switch between clusters and authentication methods without manual kubeconfig editing.

This tool is particularly useful in environments where users interact with multiple clusters, each potentially requiring a different authentication flow. It enhances security by automating token refreshing and ensures correct kubeconfig setup, reducing common configuration errors and improving the overall user experience.

kubectl-auth is not a standard built-in kubectl command. Implementations vary widely (often as community-contributed plugins or scripts), leading to different command structures, options, and behaviors.

Users should exercise caution and verify the source when using third-party kubectl-auth tools, as they handle sensitive authentication credentials. Ensure the tool comes from a trusted and well-vetted source to mitigate security risks.

Some kubectl-auth implementations may have external dependencies on other command-line tools like curl, jq, openssl, or specific cloud provider CLIs (e.g., aws, gcloud, az) for their functionality.

The need for kubectl-auth tools arose as Kubernetes adoption grew and clusters became hosted across various cloud providers or on-premises environments, each with diverse identity management systems. Early kubectl authentication was often manual, involving copying client certificates or static tokens.

As OIDC (OpenID Connect) and cloud provider IAM mechanisms became prevalent, helper tools emerged to automate the complex kubeconfig setup and token refreshing processes. These tools significantly improved user experience and security by streamlining the authentication workflow. While no single kubectl-auth implementation has become universally standardized, the concept is widely adopted and implemented across the Kubernetes ecosystem to simplify credential management.

kubectl(1): The primary Kubernetes command-line tool., kubeconfig(5): Documentation for the Kubernetes configuration file format., aws-iam-authenticator(1): A common tool used for authenticating with AWS EKS clusters., gcloud(1): Google Cloud SDK command-line tool, often used for GKE authentication., az(1): Azure CLI command-line tool, often used for AKS authentication.