Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC)

Control access to resources in a cluster

Service accounts represent subjects

(Cluster)Role specifies what to allow on which resources

(Cluster)RoleBinding connects service accounts with (Cluster)Roles

Role and RoleBinding are namespaced

ClusterRole and ClusterRoleBinding are cluster-wide

RoleBindings can reference a ClusterRole which is applied to a namespace

Demo: RBAC

Show namespaced permissions

Show cluster-wide permissions

Show mixed permissions

Using kubectl auth can-i to check RBAC

How to write roles

(Cluster)Roles require verbs and resources

How to find resources

kubectl api-resources

How to find verbs

Accepted verbs : Create, get, list, watch, update, patch, delete

Find supported verbs for resources:

kubectl api-resources --output wide


XXX find verbs for subresources, e.g. pod/exec


How to specify subjects

Subjects are referenced in (Cluster)RoleBindings


Can be created: kubectl create sa <name>

Token authentication maps to service accounts

Internally referenced by

User / Group

Authentication backends can add users and groups

Certificate authentication maps to users