Kubernetes — Role-Based Access Control (RBAC) Overview
RBAC with Kubernetes — Role, ClusterRole, RoleBinding, and ClusterRoleBinding.
TL;DR
Role-based access control (RBAC) is a way of granting users granular access to Kubernetes API resources. RBAC is a security design that restricts access to Kubernetes resources based on the role the user holds.
API Objects for configuring RBAC: Role
, ClusterRole
, RoleBinding
and ClusterRoleBinding
.
Role/ClusterRole
only say what can be done, while who can do what is defined in a RoleBinding/ClusterRoleBinding
.
Role
- Role defines what can be done to Kubernetes Resources.
- Role contains one or more rules that represent a set of permissions.
- Permissions are additive. There are no deny rules.
- Roles are namespaced, meaning Roles work within the constraints of a namespace. It would default to the
default
namespace if none was specified. - After creating a Role, you assign it to a user or group of users by creating a RoleBinding.
Example
Here’s an example Role in the “default” namespace that can be used to grant read access to pods: