Kubernetes RBAC Explained: Role, ClusterRole, RoleBinding & ClusterRoleBinding

 

Kubernetes RBAC Explained: Role, ClusterRole, RoleBinding & ClusterRoleBinding

Introduction

Security is one of the most critical aspects of Kubernetes administration. In a production Kubernetes cluster, multiple teams and users work together, including:

• Developers

• DevOps Engineers

• QA Teams

• Security Teams

• Cluster Administrators

Not everyone should have full access to the entire cluster.

For example:

• Developers may only need access to Pods.

• DevOps Engineers may manage Deployments and Services.

• Administrators may require full cluster access.

Kubernetes solves this problem using RBAC (Role-Based Access Control).

In this guide, we will learn RBAC, Roles, ClusterRoles, RoleBindings, ClusterRoleBindings, architecture, real-world examples, and interview questions.

---

What is RBAC?

RBAC (Role-Based Access Control) is a Kubernetes authorization mechanism that controls who can perform actions on Kubernetes resources.

RBAC determines:

• Who can access resources

• What actions they can perform

• Which namespaces they can access

---

Why Do We Need RBAC?

Without RBAC:

Developer
    │
    ▼
Full Cluster Access ❌

Risks:

• Accidental deletion

• Security breaches

• Unauthorized changes

• Compliance issues

---

With RBAC:

Developer
    │
    ▼
Limited Access ✅

Only required permissions are granted.

---

Kubernetes Authentication vs Authorization

Before understanding RBAC:

Authentication

Determines:

Who are you?

Examples:

• User Certificates

• Service Accounts

• OIDC

• IAM Users

---

Authorization

Determines:

What can you do?

RBAC handles authorization.

---

RBAC Architecture

User
  │
  ▼
Role / ClusterRole
  │
  ▼
RoleBinding / ClusterRoleBinding
  │
  ▼
Kubernetes Resources

---

RBAC Components

Kubernetes RBAC consists of:

1. Role

2. ClusterRole

3. RoleBinding

4. ClusterRoleBinding

---

What is a Role?

A Role defines permissions within a specific namespace.

A Role can grant access to:

• Pods

• Services

• ConfigMaps

• Secrets

• Deployments

Only inside a namespace.

---

Role Example

apiVersion: rbac.authorization.k8s.io/v1
kind: Role

metadata:
  namespace: dev
  name: pod-reader

rules:
- apiGroups: [""]

  resources:
  - pods

  verbs:
  - get
  - list
  - watch

This Role allows:

✅ View Pods

❌ Delete Pods

❌ Access Other Namespaces

---

Understanding Verbs

Common RBAC Verbs:

Verb	Meaning
get	Read Resource
list	List Resources
watch	Monitor Changes
create	Create Resource
update	Modify Resource
patch	Partial Update
delete	Delete Resource

---

What is a ClusterRole?

A ClusterRole defines permissions across the entire cluster.

Unlike Roles:

• Not Namespace Specific

• Can Access Cluster-Level Resources

Examples:

• Nodes

• Namespaces

• PersistentVolumes

• Cluster-wide Pods

---

ClusterRole Example

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole

metadata:
  name: node-reader

rules:
- apiGroups: [""]

  resources:
  - nodes

  verbs:
  - get
  - list

This allows reading node information across the cluster.

---

Role vs ClusterRole

Feature	Role	ClusterRole
Namespace Scope	✅	❌
Cluster Scope	❌	✅
Access Nodes	❌	✅
Access Namespaces	❌	✅
Most Common Usage	Namespace Permissions	Cluster Permissions

---

What is a RoleBinding?

A RoleBinding assigns a Role to a user, group, or ServiceAccount within a namespace.

Think:

Role = Permissions

RoleBinding = Permission Assignment

---

RoleBinding Example

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding

metadata:
  name: dev-binding
  namespace: dev

subjects:
- kind: User
  name: developer

roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

Result:

developer
     │
     ▼
pod-reader Role
     │
     ▼
Namespace: dev

---

What is a ClusterRoleBinding?

A ClusterRoleBinding assigns a ClusterRole across the entire cluster.

---

ClusterRoleBinding Example

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

metadata:
  name: admin-binding

subjects:
- kind: User
  name: admin-user

roleRef:
  kind: ClusterRole
  name: cluster-admin

  apiGroup: rbac.authorization.k8s.io

Result:

admin-user
      │
      ▼
cluster-admin
      │
      ▼
Entire Cluster Access

---

Complete RBAC Workflow

User
  │
  ▼
Role
  │
  ▼
RoleBinding
  │
  ▼
Namespace Resources

OR

User
  │
  ▼
ClusterRole
  │
  ▼
ClusterRoleBinding
  │
  ▼
Cluster Resources

---

Service Accounts and RBAC

Applications running inside Kubernetes use Service Accounts.

Example:

apiVersion: v1
kind: ServiceAccount

metadata:
  name: app-sa

RBAC permissions can also be assigned to Service Accounts.

---

Real-World Example

Suppose an organization has:

Developers

Need:

• View Pods

• View Logs

No delete access.

Use:

Role + RoleBinding

---

DevOps Team

Need:

• Deploy Applications

• Manage Services

• Manage ConfigMaps

Use:

ClusterRole + ClusterRoleBinding

---

Cluster Administrators

Need:

• Full Cluster Access

Use:

cluster-admin

---

Built-in ClusterRoles

Kubernetes provides predefined ClusterRoles.

cluster-admin

Full access.

---

admin

Namespace administration.

---

edit

Create and modify resources.

---

view

Read-only access.

---

Useful Commands

View Roles

kubectl get roles

---

View ClusterRoles

kubectl get clusterroles

---

View RoleBindings

kubectl get rolebindings

---

View ClusterRoleBindings

kubectl get clusterrolebindings

---

Check User Permissions

kubectl auth can-i create pods

Example Output:

yes

---

Best Practices

Follow Least Privilege Principle

Grant only required permissions.

---

Avoid cluster-admin

Use only when absolutely necessary.

---

Use Namespaces

Separate environments:

• Dev

• Test

• Production

---

Use Service Accounts

Avoid using admin credentials for applications.

---

Audit Permissions Regularly

Remove unused access.

---

Common Mistakes

❌ Giving cluster-admin to everyone

❌ Running applications with default ServiceAccounts

❌ Ignoring namespace separation

❌ Not auditing permissions

❌ Over-permissioning users

---

Kubernetes Interview Questions

What is RBAC?

RBAC is Kubernetes' authorization mechanism that controls access to cluster resources.

---

What is the difference between Role and ClusterRole?

Role works within a namespace, while ClusterRole works across the entire cluster.

---

What is RoleBinding?

RoleBinding assigns a Role to a user, group, or ServiceAccount within a namespace.

---

What is ClusterRoleBinding?

ClusterRoleBinding assigns a ClusterRole across the entire cluster.

---

How do you check permissions in Kubernetes?

kubectl auth can-i <action> <resource>

---

What is the principle of least privilege?

Grant users only the permissions required to perform their tasks.

---

Can a ServiceAccount use RBAC?

Yes. RBAC permissions can be assigned to ServiceAccounts.

---

Conclusion

RBAC is the foundation of Kubernetes security and access control. It ensures users and applications only have the permissions they require, reducing security risks and preventing accidental changes.

• Roles provide namespace-level permissions.

• ClusterRoles provide cluster-wide permissions.

• RoleBindings assign Roles.

• ClusterRoleBindings assign ClusterRoles.

Understanding RBAC is essential for managing secure production Kubernetes environments and is one of the most frequently asked topics in Kubernetes and DevOps interviews.