Kubernetes — Role-Based Access Control (RBAC) Overview

RBAC with Kubernetes — Role, ClusterRole, RoleBinding, and ClusterRoleBinding.

Kubernetes — Role-Based Access Control (RBAC)

TL;DR

Role-based access control (RBAC) is a way of granting users granular access to Kubernetes API resources. RBAC is a security design that restricts access to Kubernetes resources based on the role the user holds.

API Objects for configuring RBAC: Role, ClusterRole, RoleBinding and ClusterRoleBinding.

Role/ClusterRole only say what can be done, while who can do what is defined in a RoleBinding/ClusterRoleBinding.

Role

• Role defines what can be done to Kubernetes Resources.
• Role contains one or more rules that represent a set of permissions.
• Permissions are additive. There are no deny rules.
• Roles are namespaced, meaning Roles work within the constraints of a namespace. It would default to the default namespace if none was specified.
• After creating a Role, you assign it to a user or group of users by creating a RoleBinding.

Example

Here’s an example Role in the “default” namespace that can be used to grant read access to pods: