Kubectl auth can-i

I have an EKS Cluster, in which the role-“xxxxxxxxx” with which I am accessing the Cluster has the Clusterrole:“eks:service-operations”. This do not have the permission to run $kubectl top pods or nodes.

- groups:
      - eks:service-operations
      rolearn : xxxxxxxxxxx

When I run $kubectl top nodes or pods, it is giving unauthorized, which is expected.
However, when I run $kubectl auth can-i list pod/metrics, or $kubectl auth can-i get pod/metrics, I was getting “yes” which is not expected.

Hi @Debaroon

What does kubectl auth whoami show?

Hi @Debaroon,

kubectl top pods needs permission to access the pods.metrics.k8s.io API. Please run kubectl auth can-i get pods.metrics.k8s.io and see what it says.