0
0
Kubernetesdevops~10 mins

RoleBindings and ClusterRoleBindings in Kubernetes - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - RoleBindings and ClusterRoleBindings
Define Role or ClusterRole
Create RoleBinding or ClusterRoleBinding
Bind Role to User/Group/ServiceAccount
Access Permissions Granted
User performs actions allowed by Role
Check permissions enforced by Kubernetes
This flow shows how Roles or ClusterRoles are bound to users or groups via RoleBindings or ClusterRoleBindings to grant permissions.
Execution Sample
Kubernetes
kubectl create rolebinding read-pods \
  --role=view \
  --user=jane \
  --namespace=dev
This command creates a RoleBinding named 'read-pods' that binds the 'view' Role to user 'jane' in the 'dev' namespace.
Process Table
StepCommand/ActionResource CreatedScopeBinding TargetEffect
1kubectl create role view --verb=get,list --resource=pods --namespace=devRole 'view'Namespace: devN/ADefines permissions to get and list pods
2kubectl create rolebinding read-pods --role=view --user=jane --namespace=devRoleBinding 'read-pods'Namespace: devUser 'jane'Binds Role 'view' to user 'jane' in dev namespace
3User 'jane' runs 'kubectl get pods -n dev'N/ANamespace: devUser 'jane'Allowed: can list pods as per Role
4User 'jane' runs 'kubectl get pods -n prod'N/ANamespace: prodUser 'jane'Denied: no RoleBinding in prod namespace
5kubectl create clusterrolebinding admin-binding --clusterrole=admin --user=janeClusterRoleBinding 'admin-binding'Cluster-wideUser 'jane'Binds ClusterRole 'admin' to user 'jane' cluster-wide
6User 'jane' runs 'kubectl delete pod xyz -n prod'N/ANamespace: prodUser 'jane'Allowed: admin ClusterRole grants delete pods anywhere
7User 'bob' runs 'kubectl get pods -n dev'N/ANamespace: devUser 'bob'Denied: no RoleBinding or ClusterRoleBinding for bob
8ENDN/AN/AN/AExecution stops: all bindings created and tested
💡 Execution stops after all RoleBindings and ClusterRoleBindings are created and tested for user permissions.
Status Tracker
VariableStartAfter Step 1After Step 2After Step 5Final
Role 'view'NoneCreated with get,list pods in devSameSameDefined permissions for pods in dev
RoleBinding 'read-pods'NoneNoneCreated binding 'view' to jane in devSameBinding exists in dev namespace
ClusterRoleBinding 'admin-binding'NoneNoneNoneCreated binding 'admin' to jane cluster-wideBinding exists cluster-wide
User 'jane' permissionsNoneCan get,list pods in devSameCan admin cluster-widePermissions updated cluster-wide
User 'bob' permissionsNoneNoneNoneNoneNo permissions assigned
Key Moments - 3 Insights
Why can user 'jane' list pods in 'dev' but not in 'prod' after creating a RoleBinding?
RoleBindings apply only within a specific namespace. The RoleBinding 'read-pods' is created in 'dev' namespace, so 'jane' has permissions there but not in 'prod' (see execution_table rows 2,3,4).
What is the difference between RoleBinding and ClusterRoleBinding?
RoleBinding grants permissions within a namespace, while ClusterRoleBinding grants permissions cluster-wide (see execution_table rows 2 and 5).
Why can 'jane' delete pods in 'prod' after ClusterRoleBinding creation?
ClusterRoleBinding binds the 'admin' ClusterRole to 'jane' cluster-wide, allowing actions like deleting pods in any namespace (see execution_table row 6).
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, at which step does 'jane' gain cluster-wide admin permissions?
AStep 3
BStep 2
CStep 5
DStep 4
💡 Hint
Check the 'Resource Created' and 'Effect' columns in execution_table row 5.
According to variable_tracker, what is the state of 'RoleBinding read-pods' after step 2?
ACreated binding 'view' to jane in dev
BDeleted
CNot created yet
DCreated cluster-wide
💡 Hint
Look at the 'RoleBinding read-pods' row under 'After Step 2' in variable_tracker.
If we remove the ClusterRoleBinding at step 5, what happens when 'jane' tries to delete pods in 'prod'?
AAllowed because RoleBinding applies cluster-wide
BDenied because no cluster-wide permissions
CAllowed because 'view' Role includes delete
DDenied because 'jane' is not a user
💡 Hint
Refer to execution_table rows 5 and 6 about ClusterRoleBinding and permissions.
Concept Snapshot
RoleBindings bind Roles to users/groups within a namespace.
ClusterRoleBindings bind ClusterRoles cluster-wide.
Roles define permissions on resources.
RoleBindings and ClusterRoleBindings grant those permissions.
Namespace scope limits RoleBindings.
ClusterRoleBindings apply across all namespaces.
Full Transcript
This visual execution traces how Kubernetes RoleBindings and ClusterRoleBindings work. First, a Role is created with permissions scoped to a namespace. Then, a RoleBinding binds that Role to a user in that namespace, granting permissions only there. The user can perform allowed actions in that namespace but not others. Next, a ClusterRoleBinding binds a ClusterRole to the user cluster-wide, granting permissions across all namespaces. The user can then perform admin actions anywhere. Another user without bindings has no permissions. This shows the difference in scope and how bindings control access.