Kubernetesdevops~5 mins

RoleBindings and ClusterRoleBindings in Kubernetes - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

In Kubernetes, you often need to control who can do what inside your cluster. RoleBindings and ClusterRoleBindings connect users or groups to permissions, letting you manage access safely and clearly.

When you want to give a user permission to manage resources only in one specific namespace.

When you need to allow a service account to read pods across all namespaces.

When you want to restrict a developer to only view resources without changing them.

When you want to grant cluster-wide admin rights to a trusted user.

When you want to assign permissions to a group of users instead of one person.

Config File - rolebinding.yaml

rolebinding.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods-binding
  namespace: example-namespace
subjects:
- kind: User
  name: alice
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-admin-binding
subjects:
- kind: User
  name: bob
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

This file defines two bindings:

RoleBinding named read-pods-binding in the example-namespace namespace. It gives user alice the permissions defined in the pod-reader Role, which is limited to that namespace.
ClusterRoleBinding named cluster-admin-binding that gives user bob the cluster-admin ClusterRole, which applies cluster-wide.

Commands

This command creates the RoleBinding and ClusterRoleBinding in the cluster, assigning the specified permissions to users alice and bob.

Terminal

kubectl apply -f rolebinding.yaml

Expected OutputExpected

rolebinding.rbac.authorization.k8s.io/read-pods-binding created clusterrolebinding.rbac.authorization.k8s.io/cluster-admin-binding created

This command checks the details of the RoleBinding named read-pods-binding in the example-namespace to confirm it was created correctly.

Terminal

kubectl get rolebinding read-pods-binding -n example-namespace -o yaml

Expected OutputExpected

apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: read-pods-binding namespace: example-namespace roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: pod-reader subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: alice

→

-n - Specifies the namespace to look in

→

-o yaml - Outputs the full resource details in YAML format

This command shows the details of the ClusterRoleBinding named cluster-admin-binding to verify it grants cluster-wide admin rights to bob.

Terminal

kubectl get clusterrolebinding cluster-admin-binding -o yaml

Expected OutputExpected

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-admin-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: bob

→

-o yaml - Outputs the full resource details in YAML format

Key Concept

RoleBindings grant permissions within a namespace, while ClusterRoleBindings grant permissions across the whole cluster.

Common Mistakes

Creating a RoleBinding but expecting it to grant cluster-wide permissions.

RoleBindings only apply to a single namespace, so permissions won't work outside that namespace.

Use a ClusterRoleBinding to grant cluster-wide permissions.

Not specifying the correct namespace when creating or checking a RoleBinding.

RoleBindings are namespace-scoped, so commands without the right namespace won't find them.

Always use the -n flag with the correct namespace for RoleBindings.

Using a User kind in subjects without the user existing in the cluster's authentication system.

Kubernetes RBAC checks users based on authentication; if the user is unknown, permissions won't apply.

Ensure the user is recognized by your cluster's authentication method or use service accounts.

Summary

RoleBindings connect users or groups to Roles within a specific namespace.

ClusterRoleBindings connect users or groups to ClusterRoles across the entire cluster.

Use kubectl apply to create bindings and kubectl get to verify them.