RBAC (Role-Based Access Control) is critical for securing Kubernetes clusters. It controls who can access what resources within the cluster.
RBAC Concepts
- Role: Permissions within a namespace
- ClusterRole: Cluster-wide permissions
- RoleBinding: Connects users to Roles
- ClusterRoleBinding: Connects users to ClusterRoles
Example: Developer Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: development
name: developer
rules:
- apiGroups: [""]
resources: ["pods", "services", "configmaps"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: developer-binding
namespace: development
subjects:
- kind: User
name: [email protected]
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: developer
apiGroup: rbac.authorization.k8s.ioRead-Only ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-viewer
rules:
- apiGroups: [""]
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps", "extensions"]
resources: ["*"]
verbs: ["get", "list", "watch"]Best Practices
- Start with no permissions, add as needed
- Use namespaces to isolate workloads
- Avoid ClusterRoleBindings when possible
- Regularly audit RBAC permissions
December 2024