0
0
Kubernetesdevops~10 mins

Roles and ClusterRoles in Kubernetes - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Roles and ClusterRoles
Define Role or ClusterRole
Specify permissions (verbs, resources)
Create Role (namespace) or ClusterRole (cluster-wide)
Bind Role or ClusterRole to user/group/serviceaccount
User gains permissions as per Role or ClusterRole
Access resources
This flow shows how Roles and ClusterRoles are defined with permissions, created in Kubernetes, bound to users, and then grant access.
Execution Sample
Kubernetes
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: dev
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
This Role allows reading pods in the 'dev' namespace.
Process Table
StepActionResourceScopeResult
1Define Role 'pod-reader'podsnamespace 'dev'Role object created with get, watch, list verbs
2Create Role in 'dev' namespacepodsnamespace 'dev'Role stored in Kubernetes API
3Bind Role to user 'alice'podsnamespace 'dev'User 'alice' can get, watch, list pods in 'dev'
4Define ClusterRole 'node-reader'nodescluster-wideClusterRole object created with get, watch, list verbs
5Create ClusterRole in cluster scopenodescluster-wideClusterRole stored in Kubernetes API
6Bind ClusterRole to group 'admins'nodescluster-wideGroup 'admins' can get, watch, list nodes cluster-wide
7User 'bob' tries to list pods in 'dev'podsnamespace 'dev'Allowed if bound to Role or ClusterRole with pods permission
8User 'bob' tries to list nodesnodescluster-wideAllowed if bound to ClusterRole with nodes permission
9User 'charlie' tries to list pods in 'prod'podsnamespace 'prod'Denied if no Role or ClusterRole binding in 'prod'
10End of permission checks--Access granted or denied based on bindings
💡 Execution stops after all permission checks for users are evaluated.
Status Tracker
VariableStartAfter Step 3After Step 6After Step 10
Role 'pod-reader'undefinedDefined with pod read verbs in 'dev'No changeNo change
ClusterRole 'node-reader'undefinedundefinedDefined with node read verbs cluster-wideNo change
User 'alice' permissionsnoneCan get, watch, list pods in 'dev'No changeNo change
Group 'admins' permissionsnonenoneCan get, watch, list nodes cluster-wideNo change
User 'bob' permissionsnonenoneDepends on bindingsEvaluated for pods and nodes
User 'charlie' permissionsnonenonenoneDenied for pods in 'prod'
Key Moments - 3 Insights
Why can't a Role grant permissions outside its namespace?
Because Roles are namespace-scoped as shown in execution_table step 1 and 2, they only apply within that namespace. ClusterRoles are needed for cluster-wide permissions (steps 4 and 5).
Can a ClusterRole be bound to a namespace-specific user?
Yes, ClusterRoles can be bound to users or groups in a namespace or cluster-wide. Binding determines scope of permission application (see steps 3 and 6).
Why is user 'charlie' denied access to pods in 'prod'?
Because no Role or ClusterRole with pod permissions is bound to 'charlie' in 'prod' namespace (step 9), so access is denied.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, at which step is the Role 'pod-reader' created in Kubernetes?
AStep 1
BStep 4
CStep 2
DStep 5
💡 Hint
Check the 'Action' column for Role creation in namespace 'dev'.
According to variable_tracker, what permissions does user 'alice' have after step 3?
ACan get, watch, list pods in 'dev'
BCan get, watch, list nodes cluster-wide
CNo permissions
DCan list pods in 'prod'
💡 Hint
Look at 'User alice permissions' row after step 3.
If we bind the ClusterRole 'node-reader' to user 'bob' at step 6, what happens at step 8?
AUser 'bob' is denied access to nodes
BUser 'bob' can list nodes cluster-wide
CUser 'bob' can list pods in 'dev'
DUser 'bob' can list pods in 'prod'
💡 Hint
Check execution_table step 6 and 8 for ClusterRole binding and access.
Concept Snapshot
Roles and ClusterRoles define permissions in Kubernetes.
Roles are namespace-scoped; ClusterRoles are cluster-wide.
Bind them to users/groups to grant access.
Use RoleBindings for Roles, ClusterRoleBindings for ClusterRoles.
Permissions specify verbs (get, list) on resources (pods, nodes).
Full Transcript
This visual execution trace shows how Kubernetes Roles and ClusterRoles work. First, a Role is defined with permissions limited to a namespace, like 'dev'. It is created and stored in Kubernetes. Then, a user is bound to this Role, granting them permissions in that namespace. ClusterRoles are similar but apply cluster-wide. They can be bound to users or groups to grant broader access. The execution table traces creation, binding, and permission checks for users 'alice', 'bob', and 'charlie'. Variable tracking shows how permissions change after each step. Key moments clarify common confusions about scope and bindings. The quiz tests understanding of creation steps, permission assignments, and effects of bindings. The snapshot summarizes the core ideas for quick recall.