Control access to resources in a cluster
Service accounts represent subjects
(Cluster)Role specifies what to allow on which resources
(Cluster)RoleBinding connects service accounts with (Cluster)Roles
Role and RoleBinding are namespaced
ClusterRole and ClusterRoleBinding are cluster-wide
RoleBindings can reference a ClusteRole which is applied to a namespace
Show namespaced permissions
Show cluster-wide permissions
Show mixed permissions
Using kubectl auth can-i
to check RBAC
(Cluster)Roles require verbs and resources
kubectl api-resources
Accepted verbs : Create, get, list, watch, update, patch, delete
Find supported verbs for resources:
kubectl api-resources --output wide
Subjects are referenced in (Cluster)RoleBindings
Can be created: kubectl create sa <name>
Token authentication maps to service accounts
Internally referenced bysystem:serviceaccount:<namespace>:<name>
Authentication backends can add users and groups
Certificate authentication maps to users