Kubernetes_rbac

Kubernetes RBAC

Overview

Role-Based Access Control (RBAC) is a method of regulating access to Kubernetes resources based on the roles of individual users or service accounts within a cluster.

RBAC API Resources

┌─────────────────────────────────────────────────────────────────┐
│                     RBAC Authorization                          │
│                                                                  │
│   ┌────────────────┐        ┌────────────────┐               │
│   │     Role       │────────▶│  RoleBinding   │               │
│   │ (namespace)    │        │  (namespace)    │               │
│   └────────────────┘        └────────────────┘               │
│          │                           │                         │
│          │                           ▼                         │
│          │                  ┌────────────────┐               │
│          └────────────────▶│ Subject        │               │
│                             │ (User/Group/   │               │
│                             │  ServiceAccount│               │
│                             └────────────────┘               │
│                                                                  │
│   ┌────────────────┐        ┌────────────────┐               │
│   │  ClusterRole  │───────▶│ClusterRoleBinding│             │
│   │ (cluster-wide)│        │ (cluster-wide) │               │
│   └────────────────┘        └────────────────┘               │
└─────────────────────────────────────────────────────────────────┘

API Objects

Object	Scope	Description
Role	Namespace	Grants permissions within a specific namespace
ClusterRole	Cluster	Grants permissions cluster-wide or to cluster-scoped resources
RoleBinding	Namespace	Binds a Role or ClusterRole to subjects within a namespace
ClusterRoleBinding	Cluster	Binds a ClusterRole to subjects cluster-wide

Roles and ClusterRoles

Role (Namespace-scoped)

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]

ClusterRole (Cluster-scoped)

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "watch"]

Multiple Rules

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: myapp
  name: myapp-admin
rules:
# Rule 1: Pods
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch", "create", "update", "delete"]
# Rule 2: ConfigMaps
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "list", "watch", "create", "update", "delete"]
# Rule 3: Services
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "list", "watch", "create", "update", "delete"]
# Rule 4: Deployments
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]

Verbs

Common verbs:

get - Read single resource
list - List resources
watch - Watch for changes
create - Create new resources
update - Update existing resources
patch - Partially update resources
delete - Delete resources
deletecollection - Delete multiple resources

RoleBinding

Binding to a User

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
# User
- kind: User
  name: jane
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

Binding to a Group

subjects:
# Group
- kind: Group
  name: developers
  apiGroup: rbac.authorization.k8s.io

Binding to a ServiceAccount

subjects:
# ServiceAccount
- kind: ServiceAccount
  name: myapp-sa
  namespace: myapp

ClusterRoleBinding

Grant cluster-wide access:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-all-pods
subjects:
- kind: User
  name: admin-user
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: pod-reader-cluster
  apiGroup: rbac.authorization.k8s.io

Reusing ClusterRoles

ClusterRoles can be bound to specific namespaces:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods-in-namespace
  namespace: myapp
subjects:
- kind: User
  name: jane
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: pod-reader  # Reuse cluster-wide role
  apiGroup: rbac.authorization.k8s.io

Built-in ClusterRoles

Kubernetes provides many built-in ClusterRoles:

# List built-in ClusterRoles
kubectl get clusterroles

Key built-in roles:

ClusterRole	Description
admin	Full access within a namespace
edit	Read/write access to most resources
view	Read-only access to most resources
cluster-admin	Super-user access
system:node	Required for kubelet
system:kube-scheduler	Required for scheduler
system:controller:*	Required for controllers

Practical Examples

Developer Role

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: development
  name: developer
rules:
# Deployments, StatefulSets, DaemonSets
- apiGroups: ["apps"]
  resources: ["deployments", "statefulsets", "daemonsets"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# Pods, Services, ConfigMaps, Secrets (read-only for secrets)
- apiGroups: [""]
  resources: ["pods", "services", "configmaps", "endpoints"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "watch"]
# Jobs, CronJobs
- apiGroups: ["batch"]
  resources: ["jobs", "cronjobs"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# Ingress
- apiGroups: ["networking.k8s.io"]
  resources: ["ingresses"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

Read-Only Role

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: production
  name: viewer
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "list", "watch"]

CI/CD Service Account

# Create ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ci-pipeline
  namespace: myapp
---
# Create Role for deployments
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: myapp
  name: ci-deployer
rules:
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get", "list"]
---
# Bind Role to ServiceAccount
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ci-deployer-binding
  namespace: myapp
subjects:
- kind: ServiceAccount
  name: ci-pipeline
  namespace: myapp
roleRef:
  kind: Role
  name: ci-deployer
  apiGroup: rbac.authorization.k8s.io

Aggregated ClusterRoles

Use labels to aggregate rules:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: custom-metrics-reader
  labels:
    rbac.example.com/aggregate-to-monitoring: "true"
rules:
- apiGroups: ["custom.metrics.k8s.io"]
  resources: ["*"]
  verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: monitoring-reader
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.example.com/aggregate-to-monitoring: "true"
rules: []  # Rules are automatically aggregated

Checking Permissions

# Check what permissions a user has
kubectl auth can-i get pods --as=jane

# Check namespace permissions
kubectl auth can-i get pods -n myapp --as=jane

# Check if user can create deployments
kubectl auth can-i create deployments --as=jane

# List all permissions (as admin)
kubectl auth can-i --list --as=jane

Debugging RBAC

# Check RoleBindings in a namespace
kubectl get rolebindings -n <namespace>

# Describe a RoleBinding
kubectl describe rolebinding <name> -n <namespace>

# Check ClusterRoleBindings
kubectl get clusterrolebindings

# Describe a ClusterRoleBinding
kubectl describe clusterrolebinding <name>

# Show roles and bindings for a user
kubectl auth reconcile -f my-rbac-config.yaml

Common Patterns

Namespace Admin

# Create namespace
apiVersion: v1
kind: Namespace
metadata:
  name: team-a
---
# Grant admin access to namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: team-a-admin
  namespace: team-a
subjects:
- kind: Group
  name: team-a
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io

Cross-Namespace Access

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cross-namespace-reader
rules:
- apiGroups: [""]
  resources: ["pods", "services"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["namespaces"]
  resourceNames: ["frontend", "backend"]
  verbs: ["get", "list", "watch"]

Best Practices

Use ServiceAccounts for applications: Don’t use default user credentials
Principle of least privilege: Grant minimum required permissions
Use namespace-scoped roles: Prefer Role over ClusterRole when possible
Document RBAC policies: Keep RBAC configuration in version control
Audit regularly: Review who has access to what
Use groups: Assign permissions to groups, not individual users
Test before production: Verify permissions work as expected

Summary

RBAC is essential for:

Security: Control who can access what
Compliance: Meet regulatory requirements
Multi-tenancy: Isolate teams and workloads
Auditing: Track access patterns

Key concepts:

Role/ClusterRole: Define what can be done
RoleBinding/ClusterRoleBinding: Define who can do it
Subjects: Users, Groups, or ServiceAccounts
Verbs: Actions that can be performed
Resources: API objects being accessed