You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »


  • Establish a system of users with different roles to access a set of Kubernetes resources.
  • Control processes running in a Pod and operations they can perform via the Kubernetes API.
  • Limit the visibility of certain resources per namespaces.


RBAC has three main building blocks.

SubjectThe user or process that wants to access a resource.
ResourceThe Kubernetes API resource type.
VerbThe operation that can be executed on the resource.

Calls to the API server needs to be authenticated and Kubernetes offers a variety of authentication methods for those API requests.

Authentication StrategyDescription
X.509 client certificateUse an OpenSSL client certificate to authenticate.
Basic authenticationUsername and password.
Bearer tokensUse an OpenID or web-hooks as ways to authenticate.


  • Kubernetes does not store or represent users or groups with an API resources, it does not exist in its etcd database, however ServiceAccounts exists as objects in Kubernetes and are used by processes running inside the cluster.
  • Kubernetes clusters come with a ServiceAccount called default that lives in the default namespace.  Any pod that doesn't explicitly assign a ServiceAccount uses the default ServiceAccount.

Creating a ServiceAccount

kubectl CLI
kubectl create serviceaccount test-bot
YAML manifest
apiVersion: v1
kind: ServiceAccount
  name: test-bot

RBAC API Primitives

Kubernetes has two API resource primitives used to implement the RBAC functionality.

RoleThe Role API primitive declares the API resources and the set of allowed operations on those resources.
RoleBindingThe RoleBinding API primitive binds the Role object to the subject(s).

Default Roles in Kubernetes

Default ClusterRoleDescription
cluster-adminAllows read/write access to any resources across all namespaces.
adminAllows read/write to any resources in a namespace.
editAllows read/write access to resources in a namespace except Roles and RoleBindings.  Does provide access to Secrets.
viewAllows read-only access to resource in a namespace except Roles, RoleBindings, and Secrets.

Creating Roles

kubectl CLI
kubectl create role my-ro --verb=get,list,watch --resource=pods,deployments,services
YAML manifest
kind: Role
  name: my-ro
  - apiGroups:
    - ""
    - pods
    - services
    - list
    - get
    - watch
  - apiGroups:
    - apps
    - deployments
    - list
    - get
    - watch

The API group name for a resource can be identified by performing kubectl explain <resource>

  • No labels