RBAC LAB
- RNREDDY
- Sep 2
- 4 min read
RBAC (Role-Based Access Control) in Kubernetes is a method of regulating access to Kubernetes resources based on roles and permissions. It is crucial for security, especially in multi-user clusters.
1. What is RBAC?
RBAC controls who can do what in your cluster.
Who = User / Group / ServiceAccount
What = verbs like get, list, create, delete on Kubernetes resources like pods, services, secrets, etc.
Where = namespace-specific or cluster-wide
RBAC Object | Scope | Used With |
Role | Namespace | RoleBinding |
ClusterRole | Cluster | ClusterRoleBinding or RoleBinding |
RoleBinding | Namespace | Role or ClusterRole |
ClusterRoleBinding | Cluster | ClusterRole |
What is a Role in Kubernetes RBAC?
A Role is an RBAC object in Kubernetes that defines a set of permissions (what actions can be performed on which resources) within a specific namespace.
Role Basics
It controls access to namespaced resources like Pods, Services, ConfigMaps, Secrets, etc.
You assign the Role to users or service accounts using a RoleBinding.
Roles do not grant permissions by themselves — they need to be bound to someone.
Create a Role with yaml file
# example-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: dev
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
Create a role with command line
Create a Role that can read pods in the dev namespace
# kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods --namespace=prod
How to Confirm the Role was created?
# kubectl get role pod-reader -n prod
Create a RoleBinding (Assign Role to User)
# example-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods-binding
namespace: dev
subjects:
- kind: User # can also be ServiceAccount or Group
name: alice
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
Create a RoleBinding via CLI
# kubectl create rolebinding read-pods-binding --role=pod-reader --user=alice --namespace=prod
Verify RoleBinding:
# kubectl get rolebinding -n prod
what is service account?
A ServiceAccount in Kubernetes is a special type of identity used by pods or controllers (like deployments, jobs, cronjobs, etc.) to interact with the Kubernetes API.
Why Do We Need ServiceAccounts?
Kubernetes workloads (like Pods) often need to:
Read secrets (e.g., DB credentials)
Interact with the Kubernetes API (e.g., create/update resources)
Talk to other services via Service Discovery
Pods cannot log in like users, so Kubernetes gives them a ServiceAccount to represent their identity.
Default Behavior
Every pod automatically gets a default service account in its namespace unless you specify anothe
Item | Meaning |
🧑💻 User Account | Human login (e.g., kubectl access) |
🤖 Service Account | Pod or bot identity |
🔐 Permissions (RBAC) | What the pod/user is allowed to do |
Example Use Case
Let’s say you have a CI/CD tool like ArgoCD or Jenkins running inside Kubernetes, and it needs to:
Watch pods
Apply deployments
You can:
Create a ServiceAccount named ci-bot
Grant it permissions via a Role or ClusterRole
Attach the ServiceAccount to the pod running the CI/CD tool
Create a ServiceAccount:
Attach ServiceAccount to a Pod:
apiVersion: v1
kind: Pod
metadata:
name: ci-runner
namespace: dev
spec:
serviceAccountName: ci-bot
containers:
- name: runner
image: busybox
command: ["sleep", "3600"]
RBAC Binding for a ServiceAccount:
Create a role
# kubectl create role pod-editor --verb=get --verb=create --verb=delete --resource=pods --namespace=dev
Role binding:
kubectl create rolebinding ci-bot-access --role=pod-editor --serviceaccount=dev:ci-bot --namespace=dev
Test with kubectl auth can-i:
kubectl auth can-i create pods --as=system:serviceaccount:dev:ci-bot --namespace=dev
What Is a ClusterRole in Kubernetes?
A ClusterRole is a cluster-wide set of permissions in Kubernetes.
It's like a "global" version of a Role, which is limited to a specific namespace.
Core Idea:
Role = grants access within a namespace
ClusterRole = grants access across the entire cluster
When to Use a ClusterRole?
Use Case | Why ClusterRole? |
Grant access to resources outside of a namespace | Example: nodes, persistentvolumes |
Grant access across all namespaces | Example: get all pods in all namespaces |
Bind permissions to ClusterRoleBinding | For global users, service accounts, or system admins |
Used by controllers or operators | These need full-cluster access (like cert-manager) |
ClusterRole Example Use Cases
Allow read access to all pods in all namespaces
# kubectl create clusterrole pod-reader --verb=get --verb=list --verb=watch --resource=pods
Verify the ClusterRole
# kubectl get clusterrole pod-reader
YAML Version (Recommended for Version Control)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
Bind pod-reader ClusterRole to user alice
kubectl create clusterrolebinding read-pods-global --clusterrole=pod-reader --user=alice
For ServiceAccount (e.g., for a bot or app)
kubectl create clusterrolebinding sa-pod-reader-binding --clusterrole=pod-reader --serviceaccount=dev:ci-bot
YAML Example:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: read-pods-global
subjects:
- kind: User # or ServiceAccount / Group
name: alice # username or service account name
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: pod-reader # previously created ClusterRole
apiGroup: rbac.authorization.k8s.io
Verify It Worked
# kubectl get clusterrolebinding read-pods-global
Test Access
# kubectl auth can-i get pods --all-namespaces --as=alice
Comments