Using RBAC Authorization

    RBAC authorization uses the rbac.authorization.k8s.io API group to drive authorization decisions, allowing you to dynamically configure policies through the Kubernetes API.

    To enable RBAC, start the with the --authorization-mode flag set to a comma-separated list that includes RBAC; for example:

    The RBAC API declares four kinds of Kubernetes object: Role, ClusterRole, RoleBinding and ClusterRoleBinding. You can , or amend them, using tools such as kubectl, just like any other Kubernetes object.

    Caution: These objects, by design, impose access restrictions. If you are making changes to a cluster as you learn, see privilege escalation prevention and bootstrapping to understand how those restrictions can prevent you making some changes.

    An RBAC Role or ClusterRole contains rules that represent a set of permissions. Permissions are purely additive (there are no “deny” rules).

    A Role always sets permissions within a particular namespace; when you create a Role, you have to specify the namespace it belongs in.

    ClusterRole, by contrast, is a non-namespaced resource. The resources have different names (Role and ClusterRole) because a Kubernetes object always has to be either namespaced or not namespaced; it can’t be both.

    ClusterRoles have several uses. You can use a ClusterRole to:

    1. define permissions on namespaced resources and be granted access within individual namespace(s)
    2. define permissions on namespaced resources and be granted access across all namespaces
    3. define permissions on cluster-scoped resources

    If you want to define a role within a namespace, use a Role; if you want to define a role cluster-wide, use a ClusterRole.

    Role example

    Here’s an example Role in the “default” namespace that can be used to grant read access to pods:

    1. apiVersion: rbac.authorization.k8s.io/v1
    2. kind: Role
    3. metadata:
    4. namespace: default
    5. name: pod-reader
    6. rules:
    7. - apiGroups: [""] # "" indicates the core API group
    8. resources: ["pods"]
    9. verbs: ["get", "watch", "list"]

    ClusterRole example

    A ClusterRole can be used to grant the same permissions as a Role. Because ClusterRoles are cluster-scoped, you can also use them to grant access to:

    • cluster-scoped resources (like nodes)

    • non-resource endpoints (like /healthz)

    • namespaced resources (like Pods), across all namespaces

      For example: you can use a ClusterRole to allow a particular user to run kubectl get pods --all-namespaces

    Here is an example of a ClusterRole that can be used to grant read access to in any particular namespace, or across all namespaces (depending on how it is bound):

    1. apiVersion: rbac.authorization.k8s.io/v1
    2. kind: ClusterRole
    3. metadata:
    4. # "namespace" omitted since ClusterRoles are not namespaced
    5. name: secret-reader
    6. rules:
    7. - apiGroups: [""]
    8. #
    9. # at the HTTP level, the name of the resource for accessing Secret
    10. # objects is "secrets"
    11. resources: ["secrets"]
    12. verbs: ["get", "watch", "list"]

    The name of a Role or a ClusterRole object must be a valid .

    RoleBinding and ClusterRoleBinding

    A role binding grants the permissions defined in a role to a user or set of users. It holds a list of subjects (users, groups, or service accounts), and a reference to the role being granted. A RoleBinding grants permissions within a specific namespace whereas a ClusterRoleBinding grants that access cluster-wide.

    A RoleBinding may reference any Role in the same namespace. Alternatively, a RoleBinding can reference a ClusterRole and bind that ClusterRole to the namespace of the RoleBinding. If you want to bind a ClusterRole to all the namespaces in your cluster, you use a ClusterRoleBinding.

    The name of a RoleBinding or ClusterRoleBinding object must be a valid .

    RoleBinding examples

    Here is an example of a RoleBinding that grants the “pod-reader” Role to the user “jane” within the “default” namespace. This allows “jane” to read pods in the “default” namespace.

    1. apiVersion: rbac.authorization.k8s.io/v1
    2. # This role binding allows "jane" to read pods in the "default" namespace.
    3. # You need to already have a Role named "pod-reader" in that namespace.
    4. kind: RoleBinding
    5. metadata:
    6. name: read-pods
    7. namespace: default
    8. subjects:
    9. # You can specify more than one "subject"
    10. - kind: User
    11. name: jane # "name" is case sensitive
    12. apiGroup: rbac.authorization.k8s.io
    13. roleRef:
    14. # "roleRef" specifies the binding to a Role / ClusterRole
    15. kind: Role #this must be Role or ClusterRole
    16. name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
    17. apiGroup: rbac.authorization.k8s.io

    A RoleBinding can also reference a ClusterRole to grant the permissions defined in that ClusterRole to resources inside the RoleBinding’s namespace. This kind of reference lets you define a set of common roles across your cluster, then reuse them within multiple namespaces.

    For instance, even though the following RoleBinding refers to a ClusterRole, “dave” (the subject, case sensitive) will only be able to read Secrets in the “development” namespace, because the RoleBinding’s namespace (in its metadata) is “development”.

    1. apiVersion: rbac.authorization.k8s.io/v1
    2. # This role binding allows "dave" to read secrets in the "development" namespace.
    3. # You need to already have a ClusterRole named "secret-reader".
    4. kind: RoleBinding
    5. metadata:
    6. name: read-secrets
    7. #
    8. # The namespace of the RoleBinding determines where the permissions are granted.
    9. # This only grants permissions within the "development" namespace.
    10. namespace: development
    11. subjects:
    12. - kind: User
    13. name: dave # Name is case sensitive
    14. apiGroup: rbac.authorization.k8s.io
    15. roleRef:
    16. kind: ClusterRole
    17. name: secret-reader
    18. apiGroup: rbac.authorization.k8s.io

    ClusterRoleBinding example

    To grant permissions across a whole cluster, you can use a ClusterRoleBinding. The following ClusterRoleBinding allows any user in the group “manager” to read secrets in any namespace.

    1. apiVersion: rbac.authorization.k8s.io/v1
    2. # This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
    3. kind: ClusterRoleBinding
    4. metadata:
    5. name: read-secrets-global
    6. subjects:
    7. - kind: Group
    8. name: manager # Name is case sensitive
    9. apiGroup: rbac.authorization.k8s.io
    10. roleRef:
    11. kind: ClusterRole
    12. name: secret-reader
    13. apiGroup: rbac.authorization.k8s.io

    After you create a binding, you cannot change the Role or ClusterRole that it refers to. If you try to change a binding’s roleRef, you get a validation error. If you do want to change the roleRef for a binding, you need to remove the binding object and create a replacement.

    There are two reasons for this restriction:

    1. Making roleRef immutable allows granting someone update permission on an existing binding object, so that they can manage the list of subjects, without being able to change the role that is granted to those subjects.
    2. A binding to a different role is a fundamentally different binding. Requiring a binding to be deleted/recreated in order to change the roleRef ensures the full list of subjects in the binding is intended to be granted the new role (as opposed to enabling or accidentally modifying only the roleRef without verifying all of the existing subjects should be given the new role’s permissions).

    The kubectl auth reconcile command-line utility creates or updates a manifest file containing RBAC objects, and handles deleting and recreating binding objects if required to change the role they refer to. See command usage and examples for more information.

    Referring to resources

    In the Kubernetes API, most resources are represented and accessed using a string representation of their object name, such as pods for a Pod. RBAC refers to resources using exactly the same name that appears in the URL for the relevant API endpoint. Some Kubernetes APIs involve a subresource, such as the logs for a Pod. A request for a Pod’s logs looks like:

    1. GET /api/v1/namespaces/{namespace}/pods/{name}/log

    In this case, pods is the namespaced resource for Pod resources, and log is a subresource of pods. To represent this in an RBAC role, use a slash (/) to delimit the resource and subresource. To allow a subject to read pods and also access the log subresource for each of those Pods, you write:

    1. apiVersion: rbac.authorization.k8s.io/v1
    2. kind: Role
    3. metadata:
    4. namespace: default
    5. name: pod-and-pod-logs-reader
    6. rules:
    7. - apiGroups: [""]
    8. resources: ["pods", "pods/log"]
    9. verbs: ["get", "list"]

    You can also refer to resources by name for certain requests through the resourceNames list. When specified, requests can be restricted to individual instances of a resource. Here is an example that restricts its subject to only get or update a ConfigMap named my-configmap:

    1. apiVersion: rbac.authorization.k8s.io/v1
    2. kind: Role
    3. metadata:
    4. namespace: default
    5. name: configmap-updater
    6. rules:
    7. - apiGroups: [""]
    8. #
    9. # at the HTTP level, the name of the resource for accessing ConfigMap
    10. # objects is "configmaps"
    11. resources: ["configmaps"]
    12. resourceNames: ["my-configmap"]
    13. verbs: ["update", "get"]

    Note: You cannot restrict create or deletecollection requests by their resource name. For create, this limitation is because the name of the new object may not be known at authorization time. If you restrict list or watch by resourceName, clients must include a metadata.name field selector in their list or watch request that matches the specified resourceName in order to be authorized. For example, kubectl get configmaps --field-selector=metadata.name=my-configmap

    Rather than referring to individual resourcesapiGroups, and verbs, you can use the wildcard * symbol to refer to all such objects. For nonResourceURLs, you can use the wildcard * as a suffix glob match. For resourceNames, an empty set means that everything is allowed. Here is an example that allows access to perform any current and future action on all current and future resources in the example.com API group. This is similar to the built-in cluster-admin role.

    1. apiVersion: rbac.authorization.k8s.io/v1
    2. kind: Role
    3. metadata:
    4. namespace: default
    5. name: example.com-superuser # DO NOT USE THIS ROLE, IT IS JUST AN EXAMPLE
    6. rules:
    7. - apiGroups: ["example.com"]
    8. resources: ["*"]

    Caution: Using wildcards in resource and verb entries could result in overly permissive access being granted to sensitive resources. For instance, if a new resource type is added, or a new subresource is added, or a new custom verb is checked, the wildcard entry automatically grants access, which may be undesirable. The should be employed, using specific resources and verbs to ensure only the permissions required for the workload to function correctly are applied.

    Aggregated ClusterRoles

    You can aggregate several ClusterRoles into one combined ClusterRole. A controller, running as part of the cluster control plane, watches for ClusterRole objects with an aggregationRule set. The aggregationRule defines a label that the controller uses to match other ClusterRole objects that should be combined into the rules field of this one.

    Caution: The control plane overwrites any values that you manually specify in the rules field of an aggregate ClusterRole. If you want to change or add rules, do so in the ClusterRole objects that are selected by the aggregationRule.

    Here is an example aggregated ClusterRole:

    1. apiVersion: rbac.authorization.k8s.io/v1
    2. kind: ClusterRole
    3. metadata:
    4. name: monitoring
    5. aggregationRule:
    6. clusterRoleSelectors:
    7. - matchLabels:
    8. rules: [] # The control plane automatically fills in the rules

    If you create a new ClusterRole that matches the label selector of an existing aggregated ClusterRole, that change triggers adding the new rules into the aggregated ClusterRole. Here is an example that adds rules to the “monitoring” ClusterRole, by creating another ClusterRole labeled rbac.example.com/aggregate-to-monitoring: true.

    1. apiVersion: rbac.authorization.k8s.io/v1
    2. kind: ClusterRole
    3. metadata:
    4. name: monitoring-endpoints
    5. labels:
    6. rbac.example.com/aggregate-to-monitoring: "true"
    7. # When you create the "monitoring-endpoints" ClusterRole,
    8. # the rules below will be added to the "monitoring" ClusterRole.
    9. rules:
    10. - apiGroups: [""]
    11. resources: ["services", "endpointslices", "pods"]
    12. verbs: ["get", "list", "watch"]

    The default user-facing roles use ClusterRole aggregation. This lets you, as a cluster administrator, include rules for custom resources, such as those served by or aggregated API servers, to extend the default roles.

    For example: the following ClusterRoles let the “admin” and “edit” default roles manage the custom resource named CronTab, whereas the “view” role can perform only read actions on CronTab resources. You can assume that CronTab objects are named "crontabs" in URLs as seen by the API server.

    1. apiVersion: rbac.authorization.k8s.io/v1
    2. kind: ClusterRole
    3. metadata:
    4. name: aggregate-cron-tabs-edit
    5. labels:
    6. # Add these permissions to the "admin" and "edit" default roles.
    7. rbac.authorization.k8s.io/aggregate-to-admin: "true"
    8. rbac.authorization.k8s.io/aggregate-to-edit: "true"
    9. rules:
    10. - apiGroups: ["stable.example.com"]
    11. resources: ["crontabs"]
    12. verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
    13. ---
    14. kind: ClusterRole
    15. apiVersion: rbac.authorization.k8s.io/v1
    16. metadata:
    17. name: aggregate-cron-tabs-view
    18. labels:
    19. # Add these permissions to the "view" default role.
    20. rbac.authorization.k8s.io/aggregate-to-view: "true"
    21. rules:
    22. - apiGroups: ["stable.example.com"]
    23. resources: ["crontabs"]
    24. verbs: ["get", "list", "watch"]

    Role examples

    The following examples are excerpts from Role or ClusterRole objects, showing only the rules section.

    Allow reading "pods" resources in the core :

    1. rules:
    2. - apiGroups: [""]
    3. #
    4. # at the HTTP level, the name of the resource for accessing Pod
    5. # objects is "pods"
    6. resources: ["pods"]
    7. verbs: ["get", "list", "watch"]

    Allow reading/writing Deployments (at the HTTP level: objects with "deployments" in the resource part of their URL) in the "apps" API groups:

    1. rules:
    2. - apiGroups: ["apps"]
    3. #
    4. # at the HTTP level, the name of the resource for accessing Deployment
    5. # objects is "deployments"
    6. resources: ["deployments"]
    7. verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

    Allow reading Pods in the core API group, as well as reading or writing Job resources in the "batch" API group:

    1. rules:
    2. - apiGroups: [""]
    3. #
    4. # at the HTTP level, the name of the resource for accessing Pod
    5. # objects is "pods"
    6. resources: ["pods"]
    7. verbs: ["get", "list", "watch"]
    8. - apiGroups: ["batch"]
    9. #
    10. # at the HTTP level, the name of the resource for accessing Job
    11. # objects is "jobs"
    12. resources: ["jobs"]
    13. verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

    Allow reading a ConfigMap named “my-config” (must be bound with a RoleBinding to limit to a single ConfigMap in a single namespace):

    1. rules:
    2. - apiGroups: [""]
    3. #
    4. # at the HTTP level, the name of the resource for accessing ConfigMap
    5. # objects is "configmaps"
    6. resources: ["configmaps"]
    7. resourceNames: ["my-config"]
    8. verbs: ["get"]

    Allow reading the resource "nodes" in the core group (because a Node is cluster-scoped, this must be in a ClusterRole bound with a ClusterRoleBinding to be effective):

    1. rules:
    2. - apiGroups: [""]
    3. #
    4. # at the HTTP level, the name of the resource for accessing Node
    5. # objects is "nodes"
    6. resources: ["nodes"]
    7. verbs: ["get", "list", "watch"]

    Allow GET and POST requests to the non-resource endpoint /healthz and all subpaths (must be in a ClusterRole bound with a ClusterRoleBinding to be effective):

    1. rules:
    2. - nonResourceURLs: ["/healthz", "/healthz/*"] # '*' in a nonResourceURL is a suffix glob match
    3. verbs: ["get", "post"]

    Referring to subjects

    A RoleBinding or ClusterRoleBinding binds a role to subjects. Subjects can be groups, users or .

    Kubernetes represents usernames as strings. These can be: plain names, such as “alice”; email-style names, like “bob@example.com”; or numeric user IDs represented as a string. It is up to you as a cluster administrator to configure the authentication modules so that authentication produces usernames in the format you want.

    In Kubernetes, Authenticator modules provide group information. Groups, like users, are represented as strings, and that string has no format requirements, other than that the prefix system: is reserved.

    have names prefixed with system:serviceaccount:, and belong to groups that have names prefixed with system:serviceaccounts:.

    Note:

    • system:serviceaccount: (singular) is the prefix for service account usernames.
    • system:serviceaccounts: (plural) is the prefix for service account groups.

    RoleBinding examples

    The following examples are RoleBinding excerpts that only show the subjects section.

    For a user named alice@example.com:

    For a group named frontend-admins:

    1. subjects:
    2. - kind: Group
    3. name: "frontend-admins"
    4. apiGroup: rbac.authorization.k8s.io

    For the default service account in the “kube-system” namespace:

    1. subjects:
    2. - kind: ServiceAccount
    3. name: default
    4. namespace: kube-system

    For all service accounts in the “qa” namespace:

    1. subjects:
    2. - kind: Group
    3. name: system:serviceaccounts:qa
    4. apiGroup: rbac.authorization.k8s.io

    For all service accounts in any namespace:

    1. subjects:
    2. - kind: Group
    3. name: system:serviceaccounts
    4. apiGroup: rbac.authorization.k8s.io

    For all authenticated users:

    1. subjects:
    2. - kind: Group
    3. name: system:authenticated
    4. apiGroup: rbac.authorization.k8s.io

    For all unauthenticated users:

    1. subjects:
    2. - kind: Group
    3. name: system:unauthenticated
    4. apiGroup: rbac.authorization.k8s.io

    For all users:

    1. subjects:
    2. - kind: Group
    3. name: system:authenticated
    4. apiGroup: rbac.authorization.k8s.io
    5. - kind: Group
    6. name: system:unauthenticated
    7. apiGroup: rbac.authorization.k8s.io

    Default roles and role bindings

    API servers create a set of default ClusterRole and ClusterRoleBinding objects. Many of these are system: prefixed, which indicates that the resource is directly managed by the cluster control plane. All of the default ClusterRoles and ClusterRoleBindings are labeled with kubernetes.io/bootstrapping=rbac-defaults.

    Caution: Take care when modifying ClusterRoles and ClusterRoleBindings with names that have a system: prefix. Modifications to these resources can result in non-functional clusters.

    Auto-reconciliation

    At each start-up, the API server updates default cluster roles with any missing permissions, and updates default cluster role bindings with any missing subjects. This allows the cluster to repair accidental modifications, and helps to keep roles and role bindings up-to-date as permissions and subjects change in new Kubernetes releases.

    To opt out of this reconciliation, set the rbac.authorization.kubernetes.io/autoupdate annotation on a default cluster role or rolebinding to false. Be aware that missing default permissions and subjects can result in non-functional clusters.

    Auto-reconciliation is enabled by default if the RBAC authorizer is active.

    Default role bindings authorize unauthenticated and authenticated users to read API information that is deemed safe to be publicly accessible (including CustomResourceDefinitions). To disable anonymous unauthenticated access, add --anonymous-auth=false to the API server configuration.

    To view the configuration of these roles via kubectl run:

    1. kubectl get clusterroles system:discovery -o yaml

    Note: If you edit that ClusterRole, your changes will be overwritten on API server restart via auto-reconciliation. To avoid that overwriting, either do not manually edit the role, or disable auto-reconciliation.

    User-facing roles

    Some of the default ClusterRoles are not system: prefixed. These are intended to be user-facing roles. They include super-user roles (cluster-admin), roles intended to be granted cluster-wide using ClusterRoleBindings, and roles intended to be granted within particular namespaces using RoleBindings (admin, edit, view).

    User-facing ClusterRoles use ClusterRole aggregation to allow admins to include rules for custom resources on these ClusterRoles. To add rules to the admin, edit, or view roles, create a ClusterRole with one or more of the following labels:

    1. metadata:
    2. labels:
    3. rbac.authorization.k8s.io/aggregate-to-admin: "true"
    4. rbac.authorization.k8s.io/aggregate-to-edit: "true"
    5. rbac.authorization.k8s.io/aggregate-to-view: "true"

    Core component roles

    Other component roles

    Roles for built-in controllers

    The Kubernetes controller manager runs that are built in to the Kubernetes control plane. When invoked with --use-service-account-credentials, kube-controller-manager starts each controller using a separate service account. Corresponding roles exist for each built-in controller, prefixed with system:controller:. If the controller manager is not started with --use-service-account-credentials, it runs all control loops using its own credential, which must be granted all the relevant roles. These roles include:

    • system:controller:attachdetach-controller
    • system:controller:certificate-controller
    • system:controller:cronjob-controller
    • system:controller:daemon-set-controller
    • system:controller:deployment-controller
    • system:controller:disruption-controller
    • system:controller:endpoint-controller
    • system:controller:expand-controller
    • system:controller:generic-garbage-collector
    • system:controller:horizontal-pod-autoscaler
    • system:controller:job-controller
    • system:controller:node-controller
    • system:controller:persistent-volume-binder
    • system:controller:pod-garbage-collector
    • system:controller:pv-protection-controller
    • system:controller:pvc-protection-controller
    • system:controller:replicaset-controller
    • system:controller:replication-controller
    • system:controller:resourcequota-controller
    • system:controller:root-ca-cert-publisher
    • system:controller:route-controller
    • system:controller:service-account-controller
    • system:controller:service-controller
    • system:controller:statefulset-controller
    • system:controller:ttl-controller

    The RBAC API prevents users from escalating privileges by editing roles or role bindings. Because this is enforced at the API level, it applies even when the RBAC authorizer is not in use.

    Restrictions on role creation or update

    You can only create/update a role if at least one of the following things is true:

    1. You already have all the permissions contained in the role, at the same scope as the object being modified (cluster-wide for a ClusterRole, within the same namespace or cluster-wide for a Role).
    2. You are granted explicit permission to perform the escalate verb on the roles or clusterroles resource in the rbac.authorization.k8s.io API group.

    For example, if user-1 does not have the ability to list Secrets cluster-wide, they cannot create a ClusterRole containing that permission. To allow a user to create/update roles:

    1. Grant them a role that allows them to create/update Role or ClusterRole objects, as desired.
    2. Grant them permission to include specific permissions in the roles they create/update:
      • implicitly, by giving them those permissions (if they attempt to create or modify a Role or ClusterRole with permissions they themselves have not been granted, the API request will be forbidden)
      • or explicitly allow specifying any permission in a Role or ClusterRole by giving them permission to perform the escalate verb on roles or clusterroles resources in the rbac.authorization.k8s.io API group

    You can only create/update a role binding if you already have all the permissions contained in the referenced role (at the same scope as the role binding) or if you have been authorized to perform the bind verb on the referenced role. For example, if user-1 does not have the ability to list Secrets cluster-wide, they cannot create a ClusterRoleBinding to a role that grants that permission. To allow a user to create/update role bindings:

    1. Grant them a role that allows them to create/update RoleBinding or ClusterRoleBinding objects, as desired.
    2. Grant them permissions needed to bind a particular role:
      • implicitly, by giving them the permissions contained in the role.
      • explicitly, by giving them permission to perform the bind verb on the particular Role (or ClusterRole).

    For example, this ClusterRole and RoleBinding would allow user-1 to grant other users the admin, edit, and view roles in the namespace user-1-namespace:

    1. apiVersion: rbac.authorization.k8s.io/v1
    2. kind: ClusterRole
    3. metadata:
    4. name: role-grantor
    5. rules:
    6. - apiGroups: ["rbac.authorization.k8s.io"]
    7. resources: ["rolebindings"]
    8. verbs: ["create"]
    9. - apiGroups: ["rbac.authorization.k8s.io"]
    10. resources: ["clusterroles"]
    11. verbs: ["bind"]
    12. # omit resourceNames to allow binding any ClusterRole
    13. resourceNames: ["admin","edit","view"]
    14. ---
    15. apiVersion: rbac.authorization.k8s.io/v1
    16. kind: RoleBinding
    17. metadata:
    18. name: role-grantor-binding
    19. namespace: user-1-namespace
    20. roleRef:
    21. apiGroup: rbac.authorization.k8s.io
    22. kind: ClusterRole
    23. name: role-grantor
    24. subjects:
    25. - apiGroup: rbac.authorization.k8s.io
    26. kind: User
    27. name: user-1

    When bootstrapping the first roles and role bindings, it is necessary for the initial user to grant permissions they do not yet have. To bootstrap initial roles and role bindings:

    • Use a credential with the “system:masters” group, which is bound to the “cluster-admin” super-user role by the default bindings.

    Command-line utilities

    kubectl create role

    Creates a Role object defining permissions within a single namespace. Examples:

    • Create a Role named “pod-reader” that allows users to perform get, watch and list on pods:

      1. kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods
    • Create a Role named “pod-reader” with resourceNames specified:

      1. kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod
    • Create a Role named “foo” with apiGroups specified:

      1. kubectl create role foo --verb=get,list,watch --resource=replicasets.apps
    • Create a Role named “foo” with subresource permissions:

      1. kubectl create role foo --verb=get,list,watch --resource=pods,pods/status
    • Create a Role named “my-component-lease-holder” with permissions to get/update a resource with a specific name:

      1. kubectl create role my-component-lease-holder --verb=get,list,watch,update --resource=lease --resource-name=my-component

    kubectl create clusterrole

    Creates a ClusterRole. Examples:

    • Create a ClusterRole named “pod-reader” that allows user to perform get, watch and list on pods:

      1. kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods
    • Create a ClusterRole named “pod-reader” with resourceNames specified:

      1. kubectl create clusterrole pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod
    • Create a ClusterRole named “foo” with apiGroups specified:

      1. kubectl create clusterrole foo --verb=get,list,watch --resource=replicasets.apps
    • Create a ClusterRole named “foo” with subresource permissions:

    • Create a ClusterRole named “foo” with nonResourceURL specified:

      1. kubectl create clusterrole "foo" --verb=get --non-resource-url=/logs/*
    • Create a ClusterRole named “monitoring” with an aggregationRule specified:

      1. kubectl create clusterrole monitoring --aggregation-rule="rbac.example.com/aggregate-to-monitoring=true"

    kubectl create rolebinding

    Grants a Role or ClusterRole within a specific namespace. Examples:

      1. kubectl create rolebinding bob-admin-binding --clusterrole=admin --user=bob --namespace=acme
    • Within the namespace “acme”, grant the permissions in the “view” ClusterRole to the service account in the namespace “acme” named “myapp”:

      1. kubectl create rolebinding myapp-view-binding --clusterrole=view --serviceaccount=acme:myapp --namespace=acme
    • Within the namespace “acme”, grant the permissions in the “view” ClusterRole to a service account in the namespace “myappnamespace” named “myapp”:

      1. kubectl create rolebinding myappnamespace-myapp-view-binding --clusterrole=view --serviceaccount=myappnamespace:myapp --namespace=acme

    kubectl create clusterrolebinding

    Grants a ClusterRole across the entire cluster (all namespaces). Examples:

    • Across the entire cluster, grant the permissions in the “cluster-admin” ClusterRole to a user named “root”:

      1. kubectl create clusterrolebinding root-cluster-admin-binding --clusterrole=cluster-admin --user=root
    • Across the entire cluster, grant the permissions in the “system:node-proxier” ClusterRole to a user named “system:kube-proxy”:

      1. kubectl create clusterrolebinding kube-proxy-binding --clusterrole=system:node-proxier --user=system:kube-proxy
    • Across the entire cluster, grant the permissions in the “view” ClusterRole to a service account named “myapp” in the namespace “acme”:

      1. kubectl create clusterrolebinding myapp-view-binding --clusterrole=view --serviceaccount=acme:myapp

    kubectl auth reconcile

    Creates or updates rbac.authorization.k8s.io/v1 API objects from a manifest file.

    Missing objects are created, and the containing namespace is created for namespaced objects, if required.

    Existing roles are updated to include the permissions in the input objects, and remove extra permissions if --remove-extra-permissions is specified.

    Existing bindings are updated to include the subjects in the input objects, and remove extra subjects if --remove-extra-subjects is specified.

    Examples:

    • Test applying a manifest file of RBAC objects, displaying changes that would be made:

      1. kubectl auth reconcile -f my-rbac-rules.yaml --dry-run=client
    • Apply a manifest file of RBAC objects, preserving any extra permissions (in roles) and any extra subjects (in bindings):

      1. kubectl auth reconcile -f my-rbac-rules.yaml
    • Apply a manifest file of RBAC objects, removing any extra permissions (in roles) and any extra subjects (in bindings):

      1. kubectl auth reconcile -f my-rbac-rules.yaml --remove-extra-subjects --remove-extra-permissions

    Default RBAC policies grant scoped permissions to control-plane components, nodes, and controllers, but grant no permissions to service accounts outside the kube-system namespace (beyond discovery permissions given to all authenticated users).

    This allows you to grant particular roles to particular ServiceAccounts as needed. Fine-grained role bindings provide greater security, but require more effort to administrate. Broader grants can give unnecessary (and potentially escalating) API access to ServiceAccounts, but are easier to administrate.

    In order from most secure to least secure, the approaches are:

    1. Grant a role to an application-specific service account (best practice)

      This requires the application to specify a serviceAccountName in its pod spec, and for the service account to be created (via the API, application manifest, kubectl create serviceaccount, etc.).

      For example, grant read-only permission within “my-namespace” to the “my-sa” service account:

      1. kubectl create rolebinding my-sa-view \
      2. --clusterrole=view \
      3. --serviceaccount=my-namespace:my-sa \
      4. --namespace=my-namespace
    2. Grant a role to the “default” service account in a namespace

      If an application does not specify a serviceAccountName, it uses the “default” service account.

      Note: Permissions given to the “default” service account are available to any pod in the namespace that does not specify a serviceAccountName.

      For example, grant read-only permission within “my-namespace” to the “default” service account:

      1. kubectl create rolebinding default-view \
      2. --clusterrole=view \
      3. --serviceaccount=my-namespace:default \
      4. --namespace=my-namespace

      Many add-ons run as the “default” service account in the kube-system namespace. To allow those add-ons to run with super-user access, grant cluster-admin permissions to the “default” service account in the kube-system namespace.

      Caution: Enabling this means the kube-system namespace contains Secrets that grant super-user access to your cluster’s API.

      1. kubectl create clusterrolebinding add-on-cluster-admin \
      2. --clusterrole=cluster-admin \
      3. --serviceaccount=kube-system:default
    3. Grant a role to all service accounts in a namespace

      If you want all applications in a namespace to have a role, no matter what service account they use, you can grant a role to the service account group for that namespace.

      For example, grant read-only permission within “my-namespace” to all service accounts in that namespace:

      1. kubectl create rolebinding serviceaccounts-view \
      2. --clusterrole=view \
      3. --group=system:serviceaccounts:my-namespace \
      4. --namespace=my-namespace
    4. Grant a limited role to all service accounts cluster-wide (discouraged)

      If you don’t want to manage permissions per-namespace, you can grant a cluster-wide role to all service accounts.

      For example, grant read-only permission across all namespaces to all service accounts in the cluster:

      1. kubectl create clusterrolebinding serviceaccounts-view \
      2. --clusterrole=view \
      3. --group=system:serviceaccounts
    5. Grant super-user access to all service accounts cluster-wide (strongly discouraged)

      If you don’t care about partitioning permissions at all, you can grant super-user access to all service accounts.

      Warning: This allows any application full access to your cluster, and also grants any user with read access to Secrets (or the ability to create any pod) full access to your cluster.

      1. kubectl create clusterrolebinding serviceaccounts-cluster-admin \
      2. --clusterrole=cluster-admin \
      3. --group=system:serviceaccounts

    Write access for EndpointSlices and Endpoints

    Kubernetes clusters created before Kubernetes v1.22 include write access to EndpointSlices (and Endpoints) in the aggregated “edit” and “admin” roles. As a mitigation for CVE-2021-25740, this access is not part of the aggregated roles in clusters that you create using Kubernetes v1.22 or later.

    Existing clusters that have been upgraded to Kubernetes v1.22 will not be subject to this change. The includes guidance for restricting this access in existing clusters.

    If you want new clusters to retain this level of access in the aggregated roles, you can create the following ClusterRole:

    access/endpoints-aggregated.yaml

    1. apiVersion: rbac.authorization.k8s.io/v1
    2. kind: ClusterRole
    3. metadata:
    4. annotations:
    5. kubernetes.io/description: |-
    6. Add endpoints write permissions to the edit and admin roles. This was
    7. removed by default in 1.22 because of CVE-2021-25740. See
    8. https://issue.k8s.io/103675. This can allow writers to direct LoadBalancer
    9. or Ingress implementations to expose backend IPs that would not otherwise
    10. be accessible, and can circumvent network policies or security controls
    11. intended to prevent/isolate access to those backends.
    12. EndpointSlices were never included in the edit or admin roles, so there
    13. is nothing to restore for the EndpointSlice API.
    14. labels:
    15. rbac.authorization.k8s.io/aggregate-to-edit: "true"
    16. name: custom:aggregate-to-edit:endpoints # you can change this if you wish
    17. rules:
    18. - apiGroups: [""]
    19. resources: ["endpoints"]
    20. verbs: ["create", "delete", "deletecollection", "patch", "update"]

    Clusters that originally ran older Kubernetes versions often used permissive ABAC policies, including granting full API access to all service accounts.

    Default RBAC policies grant scoped permissions to control-plane components, nodes, and controllers, but grant no permissions to service accounts outside the kube-system namespace (beyond discovery permissions given to all authenticated users).

    While far more secure, this can be disruptive to existing workloads expecting to automatically receive API permissions. Here are two approaches for managing this transition:

    Run both the RBAC and ABAC authorizers, and specify a policy file that contains the :

    To explain that first command line option in detail: if earlier authorizers, such as Node, deny a request, then the RBAC authorizer attempts to authorize the API request. If RBAC also denies that API request, the ABAC authorizer is then run. This means that any request allowed by either the RBAC or ABAC policies is allowed.

    When the kube-apiserver is run with a log level of 5 or higher for the RBAC component (--vmodule=rbac*=5 or --v=5), you can see RBAC denials in the API server log (prefixed with RBAC). You can use that information to determine which roles need to be granted to which users, groups, or service accounts.

    Once you have granted roles to service accounts and workloads are running with no RBAC denial messages in the server logs, you can remove the ABAC authorizer.

    Permissive RBAC permissions

    You can replicate a permissive ABAC policy using RBAC role bindings.

    Warning:

    1. kubectl create clusterrolebinding permissive-binding \
    2. --clusterrole=cluster-admin \
    3. --user=admin \

    After you have transitioned to use RBAC, you should adjust the access controls for your cluster to ensure that these meet your information security needs.