Kubernetes RBAC Model
RBAC controls who can do what in your cluster.
┌─────────────────────────────────────────────┐
│ RBAC Components │
├──────────────┬──────────────────────────────┤
│ Subject │ Who (User, Group, SA) │
│ Role │ What permissions │
│ RoleBinding │ Connects subject to role │
└──────────────┴──────────────────────────────┘
Scope
| Resource | Scope | Use Case |
|---|---|---|
| Role | Namespace | App-specific permissions |
| ClusterRole | Cluster-wide | Admin, node access |
| RoleBinding | Namespace | Bind role to user in namespace |
| ClusterRoleBinding | Cluster-wide | Bind cluster role globally |
Creating Roles
Namespace Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: production
name: app-developer
rules:
- apiGroups: [""]
resources: ["pods", "services", "configmaps"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: ["apps"]
resources: ["deployments", "replicasets"]
verbs: ["get", "list", "watch", "create", "update"]
- apiGroups: [""]
resources: ["pods/log", "pods/exec"]
verbs: ["get", "create"]ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-viewer
rules:
- apiGroups: [""]
resources: ["nodes", "namespaces", "pods"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets", "daemonsets"]
verbs: ["get", "list", "watch"]RoleBindings
# Bind role to a user in a namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dev-team-binding
namespace: production
subjects:
- kind: User
name: alice
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: developers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: app-developer
apiGroup: rbac.authorization.k8s.io# ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: viewer-binding
subjects:
- kind: Group
name: readonly-users
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-viewer
apiGroup: rbac.authorization.k8s.ioServiceAccounts
ServiceAccounts provide identity for pods to interact with the API.
# Create a ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: app-sa
namespace: production
---
# Role for the ServiceAccount
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: production
name: app-role
rules:
- apiGroups: [""]
resources: ["configmaps", "secrets"]
verbs: ["get", "list"]
---
# Bind ServiceAccount to Role
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: app-sa-binding
namespace: production
subjects:
- kind: ServiceAccount
name: app-sa
namespace: production
roleRef:
kind: Role
name: app-role
apiGroup: rbac.authorization.k8s.ioUsing ServiceAccount in Pods
apiVersion: apps/v1
kind: Deployment
metadata:
name: nextgen-app
spec:
template:
spec:
serviceAccountName: app-sa
automountServiceAccountToken: true
containers:
- name: app
image: nextgen-app:1.0Pod Security
Security Context
spec:
containers:
- name: app
image: nextgen-app:1.0
securityContext:
runAsNonRoot: true
runAsUser: 1000
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]Pod Security Standards
| Level | Description |
|---|---|
| Privileged | Unrestricted (avoid in production) |
| Baseline | Minimally restrictive, prevents known escalations |
| Restricted | Heavily restricted, security best practices |
# Enforce restricted policy on a namespace
kubectl label namespace production \
pod-security.kubernetes.io/enforce=restricted \
pod-security.kubernetes.io/warn=restrictedVerifying RBAC
# Check if a user can perform an action
kubectl auth can-i create deployments --namespace production --as alice
kubectl auth can-i delete pods --namespace production --as bob
# List all roles in a namespace
kubectl get roles -n production
kubectl get rolebindings -n production
# Describe a role
kubectl describe role app-developer -n productionSummary
You've learned:
- Kubernetes RBAC model (Roles, Bindings, Subjects)
- Creating namespace and cluster-scoped permissions
- ServiceAccounts for pod identity
- Pod security contexts and standards
- Verifying and auditing RBAC policies
Next Steps
Next, we'll explore StatefulSets, DaemonSets, and Jobs for specialized workloads.