How to Use RBAC in Kubernetes: Simple Guide with Examples
In Kubernetes,
RBAC (Role-Based Access Control) manages permissions by defining Roles or ClusterRoles and assigning them to users or groups via RoleBindings or ClusterRoleBindings. You create YAML files specifying these resources and apply them with kubectl apply -f to control who can do what in your cluster.Syntax
RBAC in Kubernetes uses four main resources: Role, ClusterRole, RoleBinding, and ClusterRoleBinding.
Role: Defines permissions within a specific namespace.ClusterRole: Defines permissions cluster-wide or across all namespaces.RoleBinding: Assigns a Role to a user or group within a namespace.ClusterRoleBinding: Assigns a ClusterRole to a user or group cluster-wide.
Each Role or ClusterRole contains rules that specify apiGroups, resources, and verbs (actions like get, list, create).
yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: <namespace> name: <role-name> rules: - apiGroups: ["<api-group>"] resources: ["<resource>"] verbs: ["<verb>"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: <rolebinding-name> namespace: <namespace> subjects: - kind: User name: <user-name> apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: <role-name> apiGroup: rbac.authorization.k8s.io
Example
This example creates a Role that allows reading pods in the default namespace and binds it to a user named alice. It shows how to grant limited access to a user.
yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: default name: pod-reader rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "watch", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: read-pods-binding namespace: default subjects: - kind: User name: alice apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io
Output
role.rbac.authorization.k8s.io/pod-reader created
rolebinding.rbac.authorization.k8s.io/read-pods-binding created
Common Pitfalls
- Forgetting to specify the correct
apiGrouporresourcesin rules causes permissions to not work. - Using
Roleinstead ofClusterRolewhen cluster-wide access is needed. - Binding a
Rolewith aClusterRoleBindingor vice versa is invalid. - Not specifying the correct
kindinsubjects(User, Group, ServiceAccount). - Applying RBAC changes without re-authenticating or refreshing tokens may delay effect.
yaml
### Wrong: Binding a Role with ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: wrong-binding subjects: - kind: User name: alice apiGroup: rbac.authorization.k8s.io roleRef: kind: Role # Incorrect: should be ClusterRole name: pod-reader apiGroup: rbac.authorization.k8s.io ### Right: Use RoleBinding for Role apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: correct-binding namespace: default subjects: - kind: User name: alice apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io
Quick Reference
| Resource | Scope | Purpose |
|---|---|---|
| Role | Namespace | Defines permissions within a namespace |
| ClusterRole | Cluster-wide | Defines permissions across all namespaces or cluster resources |
| RoleBinding | Namespace | Assigns a Role to users/groups in a namespace |
| ClusterRoleBinding | Cluster-wide | Assigns a ClusterRole to users/groups cluster-wide |
Key Takeaways
RBAC controls access by defining Roles/ClusterRoles and binding them to users or groups.
Use Role and RoleBinding for namespace-specific permissions; use ClusterRole and ClusterRoleBinding for cluster-wide permissions.
Always match Role with RoleBinding and ClusterRole with ClusterRoleBinding to avoid errors.
Specify correct apiGroups, resources, and verbs in Role rules to grant intended permissions.
Apply RBAC YAML files with kubectl and verify permissions by testing user access.