RBAC Guide
Role vs ClusterRole
| Resource | Scope | Bound With |
|---|---|---|
| Role | Single namespace | RoleBinding |
| ClusterRole | Cluster-wide or namespaced | ClusterRoleBinding or RoleBinding |
| RoleBinding | Grants Role/ClusterRole within a namespace | User/Group/SA |
| ClusterRoleBinding | Grants ClusterRole cluster-wide | User/Group/SA |
Role & RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: production
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["app-secret"] # specific resource only
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: alice-pod-reader
namespace: production
subjects:
- kind: User
name: alice
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: developers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
ClusterRole & ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: node-reader
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metrics.k8s.io"]
resources: ["nodes", "pods"]
verbs: ["get", "list"]
- nonResourceURLs: ["/healthz", "/metrics"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: monitoring-node-reader
subjects:
- kind: ServiceAccount
name: prometheus
namespace: monitoring
roleRef:
kind: ClusterRole
name: node-reader
apiGroup: rbac.authorization.k8s.io
ServiceAccounts
apiVersion: v1
kind: ServiceAccount
metadata:
name: myapp-sa
namespace: production
annotations:
# AWS IRSA
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/MyAppRole
# GKE Workload Identity
iam.gke.io/gcp-service-account: myapp-sa@my-project.iam.gserviceaccount.com
---
# Use ServiceAccount in Pod
apiVersion: v1
kind: Pod
metadata:
name: myapp
spec:
serviceAccountName: myapp-sa
automountServiceAccountToken: false # disable if not needed
# CLI operations
kubectl create serviceaccount myapp-sa -n production
kubectl get serviceaccount myapp-sa -n production -o yaml
# Test permissions (impersonate)
kubectl auth can-i list pods --as=system:serviceaccount:production:myapp-sa
kubectl auth can-i create deployments --as=alice -n production
Aggregated ClusterRoles
# Create role that auto-aggregates into 'view'
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: aggregate-to-view
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: ["custom.example.com"]
resources: ["myresources"]
verbs: ["get", "list", "watch"]
# Built-in aggregation labels:
# rbac.authorization.k8s.io/aggregate-to-admin: "true"
# rbac.authorization.k8s.io/aggregate-to-edit: "true"
# rbac.authorization.k8s.io/aggregate-to-view: "true"
# Useful kubectl commands
kubectl get rolebindings,clusterrolebindings -A \
--field-selector=subjects.name=alice
kubectl describe clusterrole admin