Role-Based Access Control (RBAC)
Role-Based Access Control (RBAC)
Control access to resources in a cluster
Service accounts represent subjects
(Cluster)Role specifies what to allow on which resources
(Cluster)RoleBinding connects service accounts with one or more (Cluster)Roles
Role and RoleBinding are namespaced
ClusterRole and ClusterRoleBinding are cluster-wide
RoleBindings can reference a ClusteRole which is applied to a namespace
Impersonation using RBAC
(Cluster)Roles can allow impersonation
One ServiceAccount can perform actions in the context of a second ServiceAccount
Use case 1: Delegation of Namespaces
Useful for one cluster used by many teams
Read-only user per namespace
Impersonation to admin per namespace
Use case 2: Protection from mistakes
Useful for one cluster used by a single team
Cluster-wide read-only user
Impersonation to admin per namespace
Demo
Use case 1
Namespace test
Read-only user test-reader
Admin user test-admin
Usage:
bash [3]
kubectl \
--namespace test \
--as=test-admin \
run -it --image=alpine --command \
-- \
sh