RBAC Reference

Kubernetes RBAC Model

Namespace Scope RESOURCES ROLES BINDINGS IDENTITIES API Resources ClusterRole Role defines permissions defines permissions ClusterRoleBinding RoleBinding binds binds can also bind User Group ServiceAccount Pod grants to grants to Cluster-scoped Namespace-scoped API Resources ServiceAccount Pod Namespace boundary

What is RBAC?

Kubernetes RBAC (Role-Based Access Control) controls who can do what on the API server. Permissions are defined in Roles and bound to identities through Bindings.

RBAC is enabled by default since Kubernetes 1.8 and is the standard authorization mode for production clusters.

Roles & ClusterRoles

Roles define a set of permissions: which verbs (actions) on which resources.

  • Role -- namespace-scoped, grants access within a single namespace
  • ClusterRole -- cluster-wide, can grant access across all namespaces or to cluster-scoped resources
View Roles

Bindings

Bindings connect Roles to Identities, granting the role's permissions to the bound subjects.

  • ClusterRoleBinding -- grants cluster-wide access
  • RoleBinding -- grants namespace-scoped access

A ClusterRole can be referenced by a RoleBinding to grant its permissions within a single namespace only.

Identities

Three types of identities can be granted permissions:

  • Users -- human accounts from external authentication (certificates, OIDC, etc.)
  • Groups -- collections of users (e.g., system:masters)
  • ServiceAccounts -- technical identity for pods, managed by Kubernetes
View Subjects

Namespace Scope

Roles and RoleBindings are limited to a namespace. ClusterRoles and ClusterRoleBindings apply cluster-wide.

A ClusterRole can be referenced by a RoleBinding to grant its permissions within a single namespace -- this is a common pattern for reusable permission sets.

View by Namespace

The 15 RBAC Verbs

CategoryVerbs
Readget, list, watch
Writecreate, update, patch, delete, deletecollection
Authimpersonate
Specialbind, escalate, approve, sign
Deprecateduse (PodSecurityPolicy)

Resource Categories

CategoryDescriptionExample Resources
ManagementCore workload objectspods, deployments, replicasets, statefulsets, jobs
DataConfiguration and secretsconfigmaps, secrets
NetworkingNetwork resourcesservices, ingresses, networkpolicies, endpoints
StoragePersistent storagepersistentvolumeclaims, persistentvolumes, storageclasses
InfrastructureCluster infrastructurenodes, namespaces, events, componentstatuses
RBACRBAC resourcesroles, clusterroles, rolebindings, clusterrolebindings
CRDCustom and third-partycustomresourcedefinitions, any CRD-defined resources