Skip to main content

RBAC

Roles vs ClusterRoles

Namespaced: pods, replicasets, jobs, deployments, services, secrets, roles, rolebindings, configmaps, PVC

Cluster scoped: nodes, PV, clusterroles, clusterrolebindings, certificatesigningrequests, namespaces
It's possible to created namespaced roles as cluster role for cluster-wide access.

Role

  • Role is namespace scoped.
k create role --help
k create rolebinding --help
Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
  namespace: my-namespace
rules:
- apiGroups: [""] # blank for core api group /api
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
  # resourceNames: ['some-resource-instance']
- apiGroups: [""]
  ...
RoleBindnig
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods-binding
  namespace: my-namespace
subjects: # also can use ServiceAccount or Group
- kind: User # only works with external auth providers like OIDC
  name: [email protected]
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

Check Access

k auth can-i create deployments [--as ata] [--namespace ns]
k auth can-i delete nodes
k get pods --as ata

Cluster Role

kubectl create clusterrole noder --verb=get,list,watch,create,delete --resource=nodes,res2,...
kubectl create clusterrolebinding noders --clusterrole=noder --user=michelle
ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-pods-cluster-binding
subjects:
- kind: User
  name: [email protected]  # Or use a ServiceAccount or Group
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

.

k describe clusterrole cluster-admin 
Name:         cluster-admin
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  *.*        []                 []              [*]
             [*]                []              [*]

*.*: All resources in all API Groups resources.apiGroups pods. : apiGroups: [""], ["pods"] deployment.apps: apiGroups: ["apps"], resources: ["deployments"]

ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-pods-cluster-binding
subjects:
- kind: User
  name: [email protected]  # Or use a ServiceAccount or Group
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io