Kubernetes Security 101 : RBAC roles ( Role-Based Access Control ) and Role bindings

RBAC (role-based access control):

When we have users to whom we want to give similar access rights, we attach them to the same role.
Each role has a set of access rights, so instead of giving the same access rights to each of the "similar" users, we give the access rights to a role and attach all the "similar" users to it.

Creating a role:

We could have roles for database administrators, developers,...
We create a role by creating a kubernetes resources in a Yaml format "administrator-role.yaml":

  • The apiGoups is blank, because the "role" resource belongs to one of the the main API groups
  • The verbs represents the allowed actions for the role.
  • The resourceNames are the name of the resource "data_pods" and "nginx_pods" in the above example, that the user can apply the "verbs" to.
We create a role using the below command:

We can have multiple rules for a role.

Role binding:

To attach a role to a user, we will need to write a RoleBinding resource in a Yaml format:

Then we can create the RoleBinding resource, that binds the user "admin" to the role "administrator", using the below command: 

Roles and namespaces:

Roles are namespaced, if we don't mention a namespace in the Yaml configuration file, they will be created in the default namespace.
We can limit a user to a certain namespace by adding the namespace name in the Yaml configuration file.

Displaying the role:

We can display the roles in a cluster using the below command:

Displaying the role binding:

We display the role binding resources in a cluster using the below command:

Displaying information about a role:

To get more information about a role, we could use the below command to get more information about the  administrator role:

Displaying the rights of users:

To see our access rights as a user, we could use the below command to see our rights regarding the creation of "pods" for example:

Or as an administrator of the cluster, we could use:

We could optionally add the namespace to see the rights in that specific namespaces:

Displaying kubernetes namespaced resources:

To display the kubernetes resources that are namespaced (that live in namespaces), we use the below command:


Leave as a comment: