Role-Based Access Control (RBAC)

Required knowledge for the CKS certification.

Role-Based Access Control (RBAC) is a Kubernetes security primitive that manages authorization by defining roles and permissions for users, groups, and service accounts. It allows administrators to control who can perform actions on specific resources within the cluster.

How RBAC Works

RBAC is based on four key components:

Role: Defines a set of permissions for resources.
ClusterRole: Similar to Role, but can be applied across all namespaces.
RoleBinding: Assigns a Role to users, groups, or service accounts within a specific namespace.
ClusterRoleBinding: Binds a ClusterRole to users, groups, or service accounts cluster-wide.

Example: Create an RBAC Role and Binding

1. Define a Role

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]

2. Create a RoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
  - kind: User
    name: "api-user"
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

Key Takeaway

RBAC helps enforce the principle of least privilege by ensuring that users and applications have only the permissions they need.

Conclusion: Enforcing Security with RBAC in Kubernetes

Role-Based Access Control (RBAC) is an essential security primitive in Kubernetes, providing fine-grained authorization and enforcing the principle of least privilege. By correctly defining roles, role bindings, and permissions, you can significantly reduce the attack surface of your cluster and maintain tight access controls.

How RBAC Works​

Example: Create an RBAC Role and Binding​

1. Define a Role​

2. Create a RoleBinding​

Key Takeaway​

Conclusion: Enforcing Security with RBAC in Kubernetes​