TechLead
Lesson 11 of 25
5 min read
Cloud & Kubernetes

Kubernetes RBAC

Implement Role-Based Access Control in Kubernetes with Roles, ClusterRoles, RoleBindings, and security best practices

What is RBAC?

Role-Based Access Control (RBAC) is the primary authorization mechanism in Kubernetes. It regulates access to Kubernetes resources based on the roles of individual users or service accounts. RBAC uses the rbac.authorization.k8s.io API group and allows you to define fine-grained permissions.

RBAC Core Components

  • Role: Defines permissions (rules) within a specific namespace
  • ClusterRole: Defines permissions cluster-wide (across all namespaces) or for cluster-scoped resources
  • RoleBinding: Grants the permissions defined in a Role to users/groups/service accounts within a namespace
  • ClusterRoleBinding: Grants ClusterRole permissions cluster-wide

Roles and ClusterRoles

# namespace-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: developer-role
  namespace: development
rules:
# Full access to pods
- apiGroups: [""]
  resources: ["pods", "pods/log", "pods/exec"]
  verbs: ["get", "list", "watch", "create", "update", "delete"]

# Read-only access to services and configmaps
- apiGroups: [""]
  resources: ["services", "configmaps"]
  verbs: ["get", "list", "watch"]

# Manage deployments
- apiGroups: ["apps"]
  resources: ["deployments", "replicasets"]
  verbs: ["get", "list", "watch", "create", "update", "patch"]

# View events
- apiGroups: [""]
  resources: ["events"]
  verbs: ["get", "list", "watch"]
---
# cluster-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-reader
rules:
- apiGroups: [""]
  resources: ["nodes", "namespaces", "persistentvolumes"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
  resources: ["deployments", "daemonsets", "statefulsets"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
  resources: ["networkpolicies", "ingresses"]
  verbs: ["get", "list", "watch"]
---
# Read-only role for auditors
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: auditor-role
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "list", "watch"]

RoleBindings and ClusterRoleBindings

# role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: developer-binding
  namespace: development
subjects:
# Bind to a user
- kind: User
  name: alice@example.com
  apiGroup: rbac.authorization.k8s.io
# Bind to a group
- kind: Group
  name: developers
  apiGroup: rbac.authorization.k8s.io
# Bind to a service account
- kind: ServiceAccount
  name: ci-bot
  namespace: development
roleRef:
  kind: Role
  name: developer-role
  apiGroup: rbac.authorization.k8s.io
---
# cluster-role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-reader-binding
subjects:
- kind: Group
  name: engineering
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: cluster-reader
  apiGroup: rbac.authorization.k8s.io

Common RBAC Patterns

# CI/CD service account with deploy permissions
apiVersion: v1
kind: ServiceAccount
metadata:
  name: github-actions-deployer
  namespace: production
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: deployer-role
  namespace: production
rules:
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "update", "patch"]
- apiGroups: [""]
  resources: ["services", "configmaps"]
  verbs: ["get", "list", "create", "update", "patch"]
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
  resources: ["ingresses"]
  verbs: ["get", "list", "create", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: deployer-binding
  namespace: production
subjects:
- kind: ServiceAccount
  name: github-actions-deployer
  namespace: production
roleRef:
  kind: Role
  name: deployer-role
  apiGroup: rbac.authorization.k8s.io

Testing and Auditing RBAC

# Check if a user can perform an action
kubectl auth can-i create deployments --namespace production --as alice@example.com

# Check what a service account can do
kubectl auth can-i --list --as system:serviceaccount:production:github-actions-deployer -n production

# View all roles in a namespace
kubectl get roles -n development
kubectl get rolebindings -n development

# View all cluster roles
kubectl get clusterroles
kubectl get clusterrolebindings

# Describe a role to see its rules
kubectl describe role developer-role -n development

# Who can create pods in production?
kubectl auth can-i create pods -n production --as alice@example.com
# yes

kubectl auth can-i delete deployments -n production --as alice@example.com
# no

RBAC Best Practices

  • Least Privilege: Grant only the minimum permissions needed for each role
  • Namespace Scoping: Prefer Roles over ClusterRoles to limit blast radius
  • Group Bindings: Bind to groups rather than individual users for easier management
  • Service Accounts: Create dedicated service accounts for applications, never use the default
  • Audit Regularly: Review RBAC policies periodically and remove stale permissions

Continue Learning

Docker & DevOps

Container fundamentals and CI/CD workflows

System Design

Design scalable cloud-native systems

Cybersecurity

Secure your cloud infrastructure

Performance Engineering

Optimize cloud workloads and costs

Data Engineering

Cloud-based data pipelines