Role-Based Access Control (RBAC) is the foundation of Kubernetes authorization. Implementing it correctly ensures that users and services have only the permissions they need.
Understanding RBAC Components
Roles and ClusterRoles
Roles define permissions within a namespace, while ClusterRoles define cluster-wide permissions.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: production
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]RoleBindings and ClusterRoleBindings
These connect roles to users, groups, or service accounts.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: production
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.ioBest Practices
1. Follow Least Privilege
Never grant more permissions than necessary. Start with minimal access and add permissions as needed.
2. Use Namespaces for Isolation
Separate teams and applications into different namespaces with their own RBAC policies.
3. Avoid Cluster-Admin
The cluster-admin role should be reserved for break-glass scenarios only.
4. Audit Regularly
Use kubectl auth can-i to verify permissions and regularly audit RBAC configurations.
5. Use Groups
Manage permissions through groups rather than individual users for easier administration.
Common Mistakes to Avoid
- Granting
*(wildcard) permissions - Using default service accounts
- Not reviewing RBAC after team changes
- Forgetting to remove access for departed employees
Properly implemented RBAC is your first line of defense against unauthorized access.