Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC)

Control access to resources in a cluster

Service accounts represent subjects

(Cluster)Role specifies what to allow on which resources

(Cluster)RoleBinding connects service accounts with one or more (Cluster)Roles

Role and RoleBinding are namespaced

ClusterRole and ClusterRoleBinding are cluster-wide

RoleBindings can reference a ClusteRole which is applied to a namespace

Impersonation using RBAC

(Cluster)Roles can allow impersonation

One ServiceAccount can perform actions in the context of a second ServiceAccount

Use case 1: Delegation of Namespaces

Useful for one cluster used by many teams

Read-only user per namespace

Impersonation to admin per namespace

Use case 2: Protection from mistakes

Useful for one cluster used by a single team

Cluster-wide read-only user

Impersonation to admin per namespace


Use case 1

Namespace test

Read-only user test-reader

Admin user test-admin


bash [3] kubectl \ --namespace test \ --as=test-admin \ run -it --image=alpine --command \ -- \ sh