Roles are the bridge that connect permissions to different kubernetes objects.
A role is made up of kubernetes objects (services, pods, ...) and verbs, or action for example - Create, Read, Update and Delete -
Below is an example of a role in a YAML file format:
The apiGroups represent the groups that the resource belongs to, for example the kubernetes core API group could be found in "/api/v1".
Roles span a namespace and a clusterRoles span the entire cluster.
A clusterRole is usually used for the non-namespaced objects.
A clusterRole could be defined as below:
We notice the absence of namespace field.
A RoleBinding object connects a Role to a user, group or service account.
A clusterRoleBinding does the same for a cluster role.
Below is an example of a Rolebinding:
The above Yaml file assigns the "pod-role" role to a service account called user-1, and a User named "user-2" in the default namespace.
We could also see the role - "pod-role" - in the Yaml file in the "roleRef" section.
Service accounts as opposed to user accounts are accounts meant for processes that are running inside a pod and not for regular users.