RBAC Fundamentals
Who (Subject) β Can do what (Verb) β On which resources (Resource)
β β β
βΌ βΌ βΌ
User/Group/SA get,list,create, pods, secrets,
delete,update,patch deployments...Role vs ClusterRole
| Role | ClusterRole | |
|---|---|---|
| Scope | Single namespace | Cluster-wide |
| Use for | Team access to their namespace | Cluster admins, cross-namespace |
| Bound by | RoleBinding | ClusterRoleBinding (or RoleBinding) |
Common Roles
Developer (read-write in own namespace)
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: developer
namespace: team-payments
rules:
- apiGroups: ["", "apps", "batch"]
resources: ["pods", "deployments", "services", "configmaps", "jobs", "cronjobs"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods/log", "pods/exec"]
verbs: ["get", "create"]
# Explicitly DENY secrets access
# (not listed = denied by default)Read-Only (for monitoring/auditing)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: readonly
rules:
- apiGroups: ["", "apps", "batch", "networking.k8s.io"]
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: [] # Explicitly no secret accessCI/CD ServiceAccount (deploy only)
apiVersion: v1
kind: ServiceAccount
metadata:
name: ci-deployer
namespace: production
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: deployer
namespace: production
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "patch", "update"]
resourceNames: ["api-server", "worker"] # Only specific deployments!
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "create", "update"]Common Mistakes
1. Using cluster-admin for everything
# β NEVER do this for normal users
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: developer-admin
subjects:
- kind: User
name: developer@company.com
roleRef:
kind: ClusterRole
name: cluster-admin # Full access to EVERYTHING2. Wildcard verbs
# β Too permissive
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]3. No audit logging
# β
Enable audit logging
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: RequestResponse
resources:
- group: ""
resources: ["secrets", "configmaps"]
- level: Metadata
resources:
- group: "rbac.authorization.k8s.io"
resources: ["clusterroles", "clusterrolebindings"]Audit Who Has Access
# Who can delete pods in production?
kubectl auth can-i delete pods -n production --as=developer@company.com
# List all roles in namespace
kubectl get rolebindings -n production -o wide
# Find overprivileged ServiceAccounts
kubectl auth can-i --list --as=system:serviceaccount:default:defaultServiceAccount Token Security
# β
Disable auto-mount for pods that don't need API access
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-app
automountServiceAccountToken: false
---
# Only mount when explicitly needed
spec:
serviceAccountName: my-app
automountServiceAccountToken: true # Override per-pod if needed90% of pods donβt need Kubernetes API access β disable the token mount.
