Open in app

Sign in

Write

Sign in

Cluster Roles | Kubernetes

Khemnath chauhan
3 min readAug 5, 2021

--

In RBAC authorization mode we have discussed Role & Rolebinding are namespaced. Meaning they are created within namespace , if not specified they are created under default namespace.

Generally, namespace helps in grouping and isolating the resources — like POD , Deployment , services and Replicaset etc. However, there are few resources we can’t group or namespace them — like Nodes.( We can’t say the Node belong to xyz namespace….it can’t be). Node are cluster wide resources and they can’t be associated to any namespace.

In RBAC article, we have already learnt how to authorize users to namespaced resources ( pod, deployment, service etc..). we used Role & Rolebinding.

How do we authorize users to cluster wide resources?

ClusterScope Resources

We will use ClusterRole and ClusterRolebinding. So, this objects needs to be created to authorize users to ClusterScope resources.

1- Create a ClusterRole.

We can create a ClusterRole to provide Cluster Admin to have access to node to create, view delete a node in a cluster.

2- Link the user to the ClusterRole created above in first step. For this need to create another object- ClusterRoleBinding. Sample code as below.

Additional Notes:-

ClusterRole & ClusterRoleBinding are used for cluster Scoped resources. But this not hard rule, we can also create ClusterRole for namespace resources. If we do this, the user will have access to resources across all namespaces.

root@controlplane:~# kubectl create clusterrole node-lists --verb=list --resource=node --dry-run=client -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: node-lists
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - list## Create clusterRole to provide access to list noderoot@controlplane:~# kubectl create clusterrole node-lists --verb=list --resource=node                         
clusterrole.rbac.authorization.k8s.io/node-lists created
root@controlplane:~# kubectl get clusterrole node-lists
NAME         CREATED AT
node-lists   2021-08-05T01:18:38Z## Create ClusterRolebinding
root@controlplane:~# kubectl create clusterrolebinding michelle-cluster-binding --clusterrole=node-lists --user=michelle --dry-run -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: null
  name: michelle-cluster-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: node-lists
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: michelle---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: storage-admin
rules:
- apiGroups: [""]
  resources: ["persistentvolumes"]
  verbs: ["get", "watch", "list", "create", "delete"]
- apiGroups: ["storage.k8s.io"]
  resources: ["storageclasses"]
  verbs: ["get", "watch", "list", "create", "delete"]---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: michelle-storage-admin
subjects:
- kind: User
  name: michelle
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: storage-admin
  apiGroup: rbac.authorization.k8s.io

--

--

Khemnath chauhan
Khemnath chauhan

Written by Khemnath chauhan

16 Followers
17 Following

Stay hungry; Stay Foolish!!

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams