Kubernetes RBAC Explained: A Practical Guide for DevOps Engineers

Role-Based Access Control (RBAC) is a critical security feature in Kubernetes. It allows you to define who can do what within your cluster. Understanding RBAC is essential for both certification exams and production security.

Core RBAC Concepts

Four Key Resources

Role - Defines permissions within a namespace
ClusterRole - Defines permissions cluster-wide
RoleBinding - Grants Role permissions to users/groups/serviceaccounts
ClusterRoleBinding - Grants ClusterRole permissions cluster-wide

Creating a Role

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: development
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

Creating a RoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: development
subjects:
- kind: User
  name: jane
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

ClusterRole Example

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-reader
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "watch", "list"]

Imperative RBAC Commands

# Create a Role
kubectl create role pod-reader --verb=get,list,watch --resource=pods -n dev

# Create a ClusterRole
kubectl create clusterrole node-reader --verb=get,list --resource=nodes

# Create a RoleBinding
kubectl create rolebinding read-pods --role=pod-reader --user=jane -n dev

# Create a ClusterRoleBinding
kubectl create clusterrolebinding read-nodes --clusterrole=node-reader --user=admin

# Check permissions
kubectl auth can-i get pods --as jane -n development
kubectl auth can-i delete pods --as jane -n development

Common RBAC Patterns

Read-Only Access

kubectl create clusterrole viewer --verb=get,list,watch --resource=*

Namespace Admin

kubectl create rolebinding admin --clusterrole=admin --user=devteam -n development

Service Account Permissions

kubectl create rolebinding sa-binding --role=pod-reader --serviceaccount=default:my-sa -n dev

RBAC Troubleshooting

# Check what a user can do
kubectl auth can-i --list --as jane

# Check specific permission
kubectl auth can-i create deployments --as jane -n production

# View all RoleBindings
kubectl get rolebindings -A

# Describe a RoleBinding
kubectl describe rolebinding read-pods -n development

Best Practices

Principle of Least Privilege - Grant only necessary permissions
Use Namespaces - Scope permissions with Roles instead of ClusterRoles when possible
Avoid cluster-admin - Don’t grant cluster-admin unless absolutely necessary
Audit regularly - Review RBAC configurations periodically

Practice RBAC Scenarios

RBAC questions appear in both CKA and CKS exams. Practice with Sailor.sh to master RBAC configuration in a real cluster environment.

Start Free Practice