Access Control (RBAC) in Kubernetes

In this post, I attempt to explain RBAC. I am writing this because I had hard time figuring out RBAC from official docs, hope this helps you get the basic idea of RBAC.

Source - https://unsplash.com/photos/CkaAkgK5mc4

What is RBAC?

RBAC is short for Role-based access control, as in you have a Role and that Role has Access to some resource.

RBAC has three core components:

  1. Role :tophat:
  2. Subject :blonde_man:
  3. RoleBinding :arrows_counterclockwise:

:tophat: Role: defines permissions for a role.

Here is an example role which can only list pods

:blonde_man: Subject: Roles are applied to subjects. A subject can be a User (human) or ServiceAccount (service/program). Applied role controls the things a Subject can do.

Here is a an example subject (ServiceAccount)

:arrows_counterclockwise: RoleBinding: role binding is used to link/apply roles to subjects Using a RoleBinding you bind/attach a Role to a Subject

Here is an example role binding which gives our service account test-service-account permission to list pods by binding pods-role to test-service-account

:spiral_notepad: About cluster wide operations

  • Role, and RoleBinding only works in namespace they are created. For cluster wide permissions you need to create ClusterRole and ClusterRoleBinding
  • For creating ClusterRole and ClusterRoleBinding you need cluster-admin role

Example ClusterRole & ClusterRoleBinding

References/Further reading:

  1. Big list of roles from Kubernetes test suite, comes handy when you are writing complex roles
  2. Kubernetes RBAC Docs
  3. CNCF blog post on RBAC
  4. Daisuke Maki’s blog post on Configuring RBAC

Thanks @op_hamster and @lokeshdevnani :shipit: