0
0
KubernetesConceptBeginner · 3 min read

What is ClusterRole in Kubernetes: Definition and Usage

ClusterRole in Kubernetes is a set of permissions that apply across the entire cluster, not limited to a single namespace. It defines what actions can be performed on which resources at the cluster level, enabling centralized access control.
⚙️

How It Works

Think of a ClusterRole as a master key that can open many doors across a whole building, not just one room. In Kubernetes, resources like pods, services, or nodes exist in different namespaces or at the cluster level. A ClusterRole defines permissions that apply to resources anywhere in the cluster, unlike a regular Role which is limited to one namespace.

When you create a ClusterRole, you specify what actions (like get, list, create, delete) are allowed on which resources (like pods, nodes, or deployments). Then, you attach this ClusterRole to users or service accounts using a ClusterRoleBinding. This binding grants the permissions defined in the ClusterRole to those users across the entire cluster.

💻

Example

This example shows a ClusterRole that allows reading pods and nodes across the cluster.

yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pod-node-reader
rules:
- apiGroups: [""]
  resources: ["pods", "nodes"]
  verbs: ["get", "list", "watch"]
🎯

When to Use

Use a ClusterRole when you need to grant permissions that span multiple namespaces or affect cluster-wide resources. For example, if a monitoring tool needs to read pods and nodes in all namespaces, a ClusterRole is appropriate.

Also, cluster administrators use ClusterRole to define broad permissions for users or services that manage cluster-level operations, like managing nodes or persistent volumes.

Key Points

  • ClusterRole applies permissions cluster-wide, unlike Role which is namespace-scoped.
  • It defines allowed actions on resources like pods, nodes, or custom resources.
  • Permissions are granted by binding the ClusterRole to users or service accounts with ClusterRoleBinding.
  • Essential for managing access to cluster-level resources or cross-namespace permissions.

Key Takeaways

ClusterRole defines permissions that apply across the entire Kubernetes cluster.
It is used to grant access to cluster-wide resources or multiple namespaces.
ClusterRoleBinding connects a ClusterRole to users or service accounts to enforce permissions.
Use ClusterRole for tools or users needing broad access beyond a single namespace.

Related by keyword

What Is Kubernetes Cluster: Definition and Usage ExplainedGetting StartedWhat is Service in Kubernetes: Definition and UsageServicesWhat is ConfigMap in Kubernetes: Definition and UsageConfigMaps and SecretsWhat is CronJob in Kubernetes: Definition and UsageReplicaSet and DaemonSetWhat is Job in Kubernetes: Definition and UsageReplicaSet and DaemonSet

Up next

What Is Network Policy in Kubernetes: Simple Explanation and ExampleWhat Is Pod Network in Kubernetes: Simple Explanation and ExampleHelm 2 vs Helm 3: Key Differences and When to Use EachHow to Create a Helm Chart for Kubernetes Applications

More in RBAC

How to Bind Role to Service Account in KubernetesHow to Create a Read Only User in KubernetesHow to Create a Service Account in Kubernetes: Step-by-Step GuideHow to Grant Admin Access in Kubernetes: Step-by-Step Guide