Bird
Raised Fist0
Kubernetesdevops~10 mins

RoleBindings and ClusterRoleBindings in Kubernetes - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Process Flow - RoleBindings and ClusterRoleBindings
Define Role or ClusterRole
Create RoleBinding or ClusterRoleBinding
Bind Role to User/Group/ServiceAccount
Access Permissions Granted
User performs actions allowed by Role
Check permissions enforced by Kubernetes
This flow shows how Roles or ClusterRoles are bound to users or groups via RoleBindings or ClusterRoleBindings to grant permissions.
Execution Sample
Kubernetes
kubectl create rolebinding read-pods \
  --role=view \
  --user=jane \
  --namespace=dev
This command creates a RoleBinding named 'read-pods' that binds the 'view' Role to user 'jane' in the 'dev' namespace.
Process Table
StepCommand/ActionResource CreatedScopeBinding TargetEffect
1kubectl create role view --verb=get,list --resource=pods --namespace=devRole 'view'Namespace: devN/ADefines permissions to get and list pods
2kubectl create rolebinding read-pods --role=view --user=jane --namespace=devRoleBinding 'read-pods'Namespace: devUser 'jane'Binds Role 'view' to user 'jane' in dev namespace
3User 'jane' runs 'kubectl get pods -n dev'N/ANamespace: devUser 'jane'Allowed: can list pods as per Role
4User 'jane' runs 'kubectl get pods -n prod'N/ANamespace: prodUser 'jane'Denied: no RoleBinding in prod namespace
5kubectl create clusterrolebinding admin-binding --clusterrole=admin --user=janeClusterRoleBinding 'admin-binding'Cluster-wideUser 'jane'Binds ClusterRole 'admin' to user 'jane' cluster-wide
6User 'jane' runs 'kubectl delete pod xyz -n prod'N/ANamespace: prodUser 'jane'Allowed: admin ClusterRole grants delete pods anywhere
7User 'bob' runs 'kubectl get pods -n dev'N/ANamespace: devUser 'bob'Denied: no RoleBinding or ClusterRoleBinding for bob
8ENDN/AN/AN/AExecution stops: all bindings created and tested
💡 Execution stops after all RoleBindings and ClusterRoleBindings are created and tested for user permissions.
Status Tracker
VariableStartAfter Step 1After Step 2After Step 5Final
Role 'view'NoneCreated with get,list pods in devSameSameDefined permissions for pods in dev
RoleBinding 'read-pods'NoneNoneCreated binding 'view' to jane in devSameBinding exists in dev namespace
ClusterRoleBinding 'admin-binding'NoneNoneNoneCreated binding 'admin' to jane cluster-wideBinding exists cluster-wide
User 'jane' permissionsNoneCan get,list pods in devSameCan admin cluster-widePermissions updated cluster-wide
User 'bob' permissionsNoneNoneNoneNoneNo permissions assigned
Key Moments - 3 Insights
Why can user 'jane' list pods in 'dev' but not in 'prod' after creating a RoleBinding?
RoleBindings apply only within a specific namespace. The RoleBinding 'read-pods' is created in 'dev' namespace, so 'jane' has permissions there but not in 'prod' (see execution_table rows 2,3,4).
What is the difference between RoleBinding and ClusterRoleBinding?
RoleBinding grants permissions within a namespace, while ClusterRoleBinding grants permissions cluster-wide (see execution_table rows 2 and 5).
Why can 'jane' delete pods in 'prod' after ClusterRoleBinding creation?
ClusterRoleBinding binds the 'admin' ClusterRole to 'jane' cluster-wide, allowing actions like deleting pods in any namespace (see execution_table row 6).
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, at which step does 'jane' gain cluster-wide admin permissions?
AStep 3
BStep 2
CStep 5
DStep 4
💡 Hint
Check the 'Resource Created' and 'Effect' columns in execution_table row 5.
According to variable_tracker, what is the state of 'RoleBinding read-pods' after step 2?
ACreated binding 'view' to jane in dev
BDeleted
CNot created yet
DCreated cluster-wide
💡 Hint
Look at the 'RoleBinding read-pods' row under 'After Step 2' in variable_tracker.
If we remove the ClusterRoleBinding at step 5, what happens when 'jane' tries to delete pods in 'prod'?
AAllowed because RoleBinding applies cluster-wide
BDenied because no cluster-wide permissions
CAllowed because 'view' Role includes delete
DDenied because 'jane' is not a user
💡 Hint
Refer to execution_table rows 5 and 6 about ClusterRoleBinding and permissions.
Concept Snapshot
RoleBindings bind Roles to users/groups within a namespace.
ClusterRoleBindings bind ClusterRoles cluster-wide.
Roles define permissions on resources.
RoleBindings and ClusterRoleBindings grant those permissions.
Namespace scope limits RoleBindings.
ClusterRoleBindings apply across all namespaces.
Full Transcript
This visual execution traces how Kubernetes RoleBindings and ClusterRoleBindings work. First, a Role is created with permissions scoped to a namespace. Then, a RoleBinding binds that Role to a user in that namespace, granting permissions only there. The user can perform allowed actions in that namespace but not others. Next, a ClusterRoleBinding binds a ClusterRole to the user cluster-wide, granting permissions across all namespaces. The user can then perform admin actions anywhere. Another user without bindings has no permissions. This shows the difference in scope and how bindings control access.

Practice

(1/5)
1. What is the main difference between a RoleBinding and a ClusterRoleBinding in Kubernetes?
easy
A. RoleBinding and ClusterRoleBinding are exactly the same.
B. RoleBinding grants permissions cluster-wide, while ClusterRoleBinding grants permissions within a single namespace.
C. RoleBinding is used only for system users, ClusterRoleBinding is for regular users.
D. RoleBinding grants permissions within a single namespace, while ClusterRoleBinding grants permissions cluster-wide.

Solution

  1. Step 1: Understand RoleBinding scope

    RoleBinding assigns permissions only inside one namespace.

  2. Step 2: Understand ClusterRoleBinding scope

    ClusterRoleBinding assigns permissions across the entire cluster, not limited to a namespace.

  3. Final Answer:

    RoleBinding is namespace-scoped; ClusterRoleBinding is cluster-scoped. -> Option D

  4. Quick Check:

    Scope difference = RoleBinding grants permissions within a single namespace, while ClusterRoleBinding grants permissions cluster-wide. [OK]
Hint: Remember: RoleBinding = namespace, ClusterRoleBinding = whole cluster [OK]
Common Mistakes:
  • Confusing the scope of RoleBinding and ClusterRoleBinding
  • Thinking both bindings work cluster-wide
  • Assuming RoleBinding is for system users only
2. Which of the following is the correct syntax to create a RoleBinding in Kubernetes YAML?
easy
A. apiVersion: v1 kind: RoleBinding metadata: name: read-pods subjects: - kind: User name: jane roleRef: kind: Role name: pod-reader
B. apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: read-pods subjects: - kind: User name: jane apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io
C. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: read-pods subjects: - kind: User name: jane roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io
D. apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: read-pods subjects: - kind: User name: jane roleRef: kind: ClusterRole name: pod-reader apiGroup: rbac.authorization.k8s.io

Solution

  1. Step 1: Check apiVersion and kind

    Correct apiVersion for RoleBinding is rbac.authorization.k8s.io/v1 and kind is RoleBinding.

  2. Step 2: Validate subjects and roleRef fields

    Subjects must include kind, name, and apiGroup. roleRef must reference a Role with correct apiGroup.

  3. Final Answer:

    apiVersion: rbac.authorization.k8s.io/v1, kind: RoleBinding, with complete subjects including apiGroup, and roleRef to Role. -> Option B

  4. Quick Check:

    Correct apiVersion and fields = apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: read-pods subjects: - kind: User name: jane apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io [OK]
Hint: RoleBinding YAML needs apiVersion rbac.authorization.k8s.io/v1 and kind RoleBinding [OK]
Common Mistakes:
  • Using wrong apiVersion or kind
  • Omitting apiGroup in subjects or roleRef
  • Confusing RoleBinding with ClusterRoleBinding syntax
3. Given this YAML snippet for a ClusterRoleBinding: 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-binding
subjects:
- kind: User
  name: alice
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
What permission scope does user alice get?
medium
A. Permissions cluster-wide with cluster-admin rights
B. No permissions because ClusterRoleBinding requires a ServiceAccount subject
C. Permissions only in the default namespace
D. Permissions only in the namespace where the ClusterRoleBinding is created

Solution

  1. Step 1: Identify the binding type and role

    The YAML defines a ClusterRoleBinding that binds user alice to the cluster-admin ClusterRole.

  2. Step 2: Understand ClusterRoleBinding scope

    ClusterRoleBinding grants permissions cluster-wide, so alice has admin rights across all namespaces.

  3. Final Answer:

    User alice has cluster-wide admin permissions. -> Option A

  4. Quick Check:

    ClusterRoleBinding + cluster-admin = cluster-wide admin [OK]
Hint: ClusterRoleBinding with cluster-admin role = full cluster access [OK]
Common Mistakes:
  • Assuming permissions are limited to one namespace
  • Thinking only ServiceAccounts can be subjects
  • Confusing ClusterRoleBinding with RoleBinding scope
4. You applied this YAML to create a RoleBinding: 
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
subjects:
- kind: User
  name: bob
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
But bob cannot list pods in the namespace. What is the likely problem?
medium
A. The subjects field is missing apiGroup for the user.
B. The roleRef kind should be ClusterRole instead of Role.
C. The RoleBinding must be created in the kube-system namespace.
D. The user bob does not exist in Kubernetes.

Solution

  1. Step 1: Check subjects field completeness

    The subjects entry for user bob lacks the required apiGroup field, which is needed to identify the user correctly.

  2. Step 2: Understand impact of missing apiGroup

    Without apiGroup, Kubernetes cannot match the user to the RoleBinding, so permissions are not granted.

  3. Final Answer:

    Missing apiGroup in subjects causes permission failure. -> Option A

  4. Quick Check:

    Subjects need apiGroup for user binding [OK]
Hint: Always include apiGroup in subjects for users [OK]
Common Mistakes:
  • Omitting apiGroup in subjects
  • Confusing Role and ClusterRole in roleRef
  • Assuming namespace or user existence is the problem
5. You want to grant a service account named deploy-bot in namespace dev permission to create pods across all namespaces. Which is the correct approach?
hard
A. Create a RoleBinding in each namespace binding deploy-bot to a Role with pod creation rights.
B. Create a RoleBinding in the dev namespace binding deploy-bot to a Role with pod creation rights.
C. Create a ClusterRoleBinding binding the deploy-bot service account to a ClusterRole with pod creation rights.
D. Create a ClusterRole with pod creation rights but no binding is needed.

Solution

  1. Step 1: Identify scope needed

    Permission to create pods across all namespaces requires cluster-wide scope.

  2. Step 2: Choose correct binding type

    A ClusterRoleBinding is needed to bind the deploy-bot service account to a ClusterRole with pod creation rights cluster-wide.

  3. Final Answer:

    Create a ClusterRoleBinding for deploy-bot to a ClusterRole with pod creation rights. -> Option C

  4. Quick Check:

    ClusterRoleBinding = cluster-wide permissions [OK]
Hint: ClusterRoleBinding for cluster-wide access to service accounts [OK]
Common Mistakes:
  • Using RoleBinding for cluster-wide permissions
  • Not creating any binding after ClusterRole
  • Creating RoleBinding in only one namespace