Role-Based Access Control (RBAC)
Role-Based Access Control (RBAC) is a method of regulating access to resources based on the roles of individual users. RBAC uses the rbac.authorization.k8s.io API group to drive authorization decisions, allowing you to dynamically configure policies through the Kubernetes API.
RBAC Components
RBAC authorization uses four kinds of Kubernetes objects:
| Object | Scope | Description |
|---|---|---|
| Role | Namespace | Grants permissions within a specific namespace |
| ClusterRole | Cluster-wide | Grants permissions cluster-wide or to cluster-scoped resources |
| RoleBinding | Namespace | Binds a Role or ClusterRole to users within a namespace |
| ClusterRoleBinding | Cluster-wide | Binds a ClusterRole to users across the entire cluster |
How RBAC Works
- Roles/ClusterRoles define what actions can be performed on which resources
- RoleBindings/ClusterRoleBindings define who can perform those actions
- Permissions are purely additive (there are no "deny" rules)
Resources
References
Role - Grants read access to pods in a namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
RoleBinding - Binds the Role to a user
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
ClusterRole - Grants read access to secrets cluster-wide
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
ClusterRoleBinding - Binds ClusterRole to a group
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: read-secrets-global
subjects:
- kind: Group
name: developers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io
Role for a ServiceAccount with deployment permissions
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: production
name: deployment-manager
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: deployment-manager-binding
namespace: production
subjects:
- kind: ServiceAccount
name: deploy-bot
namespace: production
roleRef:
kind: Role
name: deployment-manager
apiGroup: rbac.authorization.k8s.io
Common Verbs
| Verb | Description |
|---|---|
get |
Read a specific resource |
list |
List resources of a type |
watch |
Watch for changes to resources |
create |
Create new resources |
update |
Update existing resources |
patch |
Partially update resources |
delete |
Delete resources |
deletecollection |
Delete multiple resources |
Default ClusterRoles
| Role | Description |
|---|---|
cluster-admin |
Full access to all resources |
admin |
Full access within a namespace |
edit |
Read/write access to most resources in a namespace |
view |
Read-only access to most resources in a namespace |