What resource(s) to access
Which permissions are granted
Who is granted access (subject)
Which role is granted
ServiceAccount
User / Group (more later)
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "update", "patch"]
What resource(s) to access
apiGroups
resources
Which permissions are granted
verbs
ClusterRole
works in the same way
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pod-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: ServiceAccount
name: test
- apiGroup: rbac.authorization.k8s.io
kind: ServiceAccount
name: demo
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
Who is granted access
subjects
Which role is granted
roleRef
Define and assign roles inside a namespace using Role
, RoleBinding
Define and assign roles for the whole cluster using ClusterRole
, ClusterRoleBinding
Define roles for the whole cluster and assign them in a namespace