Quick Recap

Quick Recap

(Cluster)Role

What resource(s) to access

Which permissions are granted

(Cluster)RoleBinding

Who is granted access (subject)

Which role is granted

Subjects

ServiceAccount

User / Group (more later)


Role-Based Access Control (RBAC)

Reminder

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "update", "patch"]

What resource(s) to access

Which permissions are granted

ClusterRole works in the same way


Role-Based Access Control (RBAC)

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pod-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: ServiceAccount
  name: test
- apiGroup: rbac.authorization.k8s.io
  kind: ServiceAccount
  name: demo
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

Reminder

Who is granted access

Which role is granted


Role-Based Access Control (RBAC)

Namespaced

Define and assign roles inside a namespace using Role, RoleBinding

Clustered

Define and assign roles for the whole cluster using ClusterRole, ClusterRoleBinding

Mix and match:

Define roles for the whole cluster and assign them in a namespace