Access Control (RBAC) in Kubernetes
In this post, I attempt to explain RBAC. I am writing this because I had hard time figuring out RBAC from official docs, hope this helps you get the basic idea of RBAC.
What is RBAC?
RBAC is short for Role-based access control, as in you have a Role and that Role has Access to some resource.
RBAC has three core components:
Role: defines permissions for a role.
Here is an example role which can only list pods
Subject: Roles are applied to subjects. A subject can be a User (human) or ServiceAccount (service/program). Applied role controls the things a Subject can do.
Here is a an example subject (ServiceAccount)
RoleBinding: role binding is used to link/apply roles to subjects Using a RoleBinding you bind/attach a Role to a Subject
Here is an example role binding which gives our service account
test-service-account permission to list pods by binding
About cluster wide operations
- Role, and RoleBinding only works in namespace they are created. For cluster wide permissions you need to create ClusterRole and ClusterRoleBinding
- For creating ClusterRole and ClusterRoleBinding you need cluster-admin role
Example ClusterRole & ClusterRoleBinding
- Big list of roles from Kubernetes test suite, comes handy when you are writing complex roles
- Kubernetes RBAC Docs
- CNCF blog post on RBAC
- Daisuke Maki’s blog post on Configuring RBAC
- Dominik Tornow’s blog post on internals of Kubernetes RBAC
Thanks @op_hamster and @lokeshdevnani