What is RBAC in Kubernetes?
· Category: Kubernetes
Short answer
Kubernetes RBAC controls access to cluster resources based on roles. Roles define permissions within a namespace; ClusterRoles define cluster-wide permissions. Bindings assign these roles to users, groups, or service accounts.
How it works
RBAC uses four main objects: Role, ClusterRole, RoleBinding, and ClusterRoleBinding. The API server evaluates RBAC rules on every request. Permissions are additive; there is no deny rule.
Example
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
Bind to a user:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
Why it matters
RBAC is essential for multi-tenant clusters. It enforces the principle of least privilege and prevents unauthorized access to sensitive resources.
Tips
- Use service accounts for Pod-to-API access.
- Audit RBAC policies regularly.
- Prefer Roles over ClusterRoles where possible.
Common issues
- Wildcard permissions (
*) are dangerous. - RoleBindings only work within a namespace.
- Changes to RBAC take effect immediately without restart.