RBAC in Kubernetes
RBAC (Role-Based Access Control) authorizes who can do what after authentication establishes identity. Effective access is always authn + authz + bindings.
Objects at a glance
Section titled “Objects at a glance”| Object | Scope | Binds to |
|---|---|---|
| Role | One namespace | Permissions inside that namespace |
| ClusterRole | Whole cluster | Cluster-wide or namespaced resources (depending on rules) |
| RoleBinding | One namespace | Users/groups/SAs → Role or ClusterRole (in that namespace) |
| ClusterRoleBinding | Whole cluster | Users/groups/SAs → ClusterRole |
A RoleBinding to a ClusterRole is a common pattern: reuse a cluster-defined role template but limit its effect to one namespace.
Blast radius
Section titled “Blast radius”- Namespace RoleBinding to a privileged ClusterRole still affects only that namespace — bad, but bounded.
- ClusterRoleBinding to
cluster-admin(or equivalent) is cluster-wide — treat as break-glass; automate detection and quarterly review.
OIDC and group claims
Section titled “OIDC and group claims”With OIDC, the API server maps claims (for example groups) to Kubernetes groups; RBAC bindings reference those group names.
Typical flow:
- Configure API server
--oidc-*flags (or use your cloud’s managed integration). - Map
groupsclaim → Kubernetesgroupsin the identity. - Bind
ClusterRoleviewor custom roles togroup:platform-readers.
Worked kubeconfig patterns (including aws eks get-token) live on Kubeconfig and authentication.
kubectl auth can-i
Section titled “kubectl auth can-i”kubectl auth can-i create deployments --namespace team-akubectl auth can-i '*' '*' --all-namespaces # cluster-admin check — use sparinglyUse --as and --as-group to simulate another principal when debugging RBAC tickets.
Common misconfigurations
Section titled “Common misconfigurations”- Granting
verbs: ['*']onresources: ['*']for convenience. - Using ClusterRoleBinding where RoleBinding would suffice.
- Wildcard resourceNames omissions on Secrets — narrow where possible.
Audit guidance
Section titled “Audit guidance”Log who changed RoleBinding and ClusterRoleBinding objects; alert on cluster-admin grants. Pair with Multi-tenancy and policy for audit shipping patterns.
Related
Section titled “Related”- Kubeconfig and authentication — TLS client auth, exec plugins, EKS token flow.
- Admission controllers — Policy webhooks that complement RBAC.
- Architecture review answers — Prompts this page deepens.