In this tutorial, you’ll learn how to manage permissions in Kubernetes using RBAC. We’ll cover:
- Defining a Role
- Binding a Role to a User
- Inspecting Roles and RoleBindings
- Verifying Permissions with
kubectl auth can-i
- Restricting Access to Specific Resource Names
Along the way, you’ll see code examples, handy tables, and useful callouts to help reinforce best practices.
1. Defining a Role in a Namespace
A Role grants a set of permissions within a single namespace. Each Role rule comprises:
| Field | Description |
|---|
| apiGroups | API group of the resource (empty string "" for core group) |
| resources | Kubernetes resources (e.g., pods, configmaps) |
| verbs | Allowed actions (e.g., get, list, create, delete) |
| resourceNames* | Restrict operations to specific resource names |
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: developer
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list", "get", "create", "update", "delete"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
role-developer.yaml and apply:
kubectl apply -f role-developer.yaml
Roles are namespace-scoped by default. To apply this Role in another namespace, add namespace: your-namespace under metadata:.
2. Binding a Role to a User with RoleBinding
A RoleBinding associates one or more subjects (users, groups, or service accounts) with a Role.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: devuser-developer-binding
subjects:
- kind: User
name: dev-user
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: developer
apiGroup: rbac.authorization.k8s.io
rolebinding-devuser.yaml and run:
kubectl apply -f rolebinding-devuser.yaml
Ensure your Role and RoleBinding share the same namespace unless you intend to bind across namespaces.
3. Inspecting Roles and RoleBindings
Use kubectl to list or describe your RBAC resources:
-
List all Roles in the current namespace
-
List all RoleBindings in the current namespace
-
Describe a specific Role to view its rules
kubectl describe role developer
Name: developer
PolicyRule:
Resources Verbs
--------- -------------------------------
pods [get list create update delete]
configmaps [create]
-
Describe a RoleBinding to see bound subjects
kubectl describe rolebinding devuser-developer-binding
Name: devuser-developer-binding
Role:
Kind: Role
Name: developer
Subjects:
Kind Name
---- ----
User dev-user
4. Verifying Permissions with kubectl auth can-i
Check whether a user can perform specific actions:
# As the current user
kubectl auth can-i create deployments
kubectl auth can-i delete nodes
# Impersonate dev-user
kubectl auth can-i create deployments --as dev-user
kubectl auth can-i create pods --as dev-user
# → yes
kubectl auth can-i create pods --as dev-user --namespace test
# → no # dev-user has no access in 'test'
5. Restricting Access to Specific Resource Names
Limit Role permissions to named resources using resourceNames:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-limited
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "create", "update"]
resourceNames: ["blue", "orange"]
kubectl apply -f role-pod-limited.yaml
Links and References
