How to check Kubernetes cluster access

Kubernetes access checks separate connection problems from authorization problems. Before applying manifests or troubleshooting workloads, confirm that kubectl is pointed at the intended context, can reach the API server, and has the permission expected for the namespace or resource being used.

kubectl reads cluster, user, and namespace settings from kubeconfig. The active context selects that combination unless a command-line flag or KUBECONFIG override changes it, so a context check comes before interpreting an empty result, a timeout, or a forbidden response.

kubectl cluster-info confirms basic API reachability and service discovery when the current identity is allowed to read that information. kubectl auth can-i asks the API server's authorization layer about one verb and resource, so pair it with the same harmless read command that matches the access being checked.

Related: How to configure kubectl with a kubeconfig file
Related: How to switch Kubernetes context
Related: How to grant Kubernetes namespace access with RBAC

Steps to check Kubernetes cluster access:

  1. List the configured contexts and confirm the active marker points to the intended cluster. 
    $ kubectl config get-contexts
CURRENT   NAME             CLUSTER          AUTHINFO       NAMESPACE
*         team-a-cluster   team-a-cluster   team-a-user    team-a

    If the active context is wrong, switch context or use the correct kubeconfig before running cluster commands.
    Related: How to switch Kubernetes context
    Related: How to configure kubectl with a kubeconfig file

  2. Ask the API server for cluster information. 
    $ kubectl cluster-info
Kubernetes control plane is running at https://cluster.example.net
CoreDNS is running at https://cluster.example.net/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

    A timeout, refused connection, or certificate error points to endpoint, network, or kubeconfig trust. A forbidden response means the API server was reached, but the identity cannot read that discovery data.

  3. List namespaces when cluster-wide namespace visibility is part of the expected role. 
    $ kubectl get namespaces
NAME              STATUS   AGE
default           Active   12d
kube-system       Active   12d
team-a            Active   4d

    Skip this check for a namespace-only role that is not expected to list namespaces, and check an assigned namespace resource instead.

  4. Check the exact permission needed for the namespace. 
    $ kubectl auth can-i list pods --namespace team-a
yes

    Replace list pods and team-a with the verb, resource, and namespace the role should allow. A no response means authentication worked, but authorization does not match the expected access.
    Related: How to grant Kubernetes namespace access with RBAC

  5. Run the matching harmless read command. 
    $ kubectl get pods --namespace team-a
No resources found in team-a namespace.

    The empty namespace message is still a successful read. A forbidden response at this point means the practical command path does not match the permission check or the active context changed.