How to Create a Read Only User in Kubernetes

To create a read-only user in Kubernetes, you need to create two main resources:

• Role or ClusterRole: Defines the permissions (verbs) allowed on resources.
• RoleBinding or ClusterRoleBinding: Assigns the role to a user or group.

Example syntax parts:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: readonly
rules:
- apiGroups: [""]
  resources: ["pods", "services"]
  verbs: ["get", "list", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: readonly-binding
subjects:
- kind: User
  name: "username"
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: readonly
  apiGroup: rbac.authorization.k8s.io

ClusterRole applies cluster-wide, while Role applies to a namespace. verbs are actions allowed, like get, list, and watch.

This example creates a cluster-wide read-only user named readonly-user who can only view pods and services.

After applying these manifests, you can configure your kubeconfig to use this user for read-only access.

Common mistakes when creating a read-only user include:

• Using Role instead of ClusterRole for cluster-wide access, which limits permissions to a namespace.
• Forgetting to bind the role to the correct kind (User, Group, or ServiceAccount).
• Not specifying the correct apiGroups or resources, causing permissions to be too narrow or too broad.
• Trying to use a user that is not recognized by Kubernetes authentication (you must configure kubeconfig or an identity provider).

Example of a wrong binding (missing apiGroup in subject):

subjects:
- kind: User
  name: "readonly-user"
  # apiGroup missing here causes binding failure

Correct binding includes apiGroup: rbac.authorization.k8s.io in subjects.