RBAC Authorization | Kubernetes

  • Create a Role. ( use Role object)
  • Link the users to the Role ( Use Rolebinding object).
Role
# Example Role in the "default" namespace that can be used to grant read access to pods:apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: developer
rules:
- apiGroups: [“”] # “” indicates the core API group
resources: [“pods”]
verbs: [“get”, “watch”, “list”, “Create”, “delete”]
# example of a Rolebinding that grants the "developer" Role to the user "dev-user" within the "default" namespace. This allows "dev-user" to read pods in the "default" namespace.apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: devuser-developer-binding
subjects:
- kind: User
name: dev-user
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: developer
apiGroup: rbac.authorization.k8s.io
View Role & Rolebinding object
# Provide access to deployment
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: blue
name: deploy-role
rules:
- apiGroups: ["apps", "extensions"]
resources: ["deployments"]
verbs: ["create"]

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dev-user-deploy-binding
namespace: blue
subjects:
- kind: User
name: dev-user
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: deploy-role
apiGroup: rbac.authorization.k8s.io
$ kubectl auth can-i create deployment
$ kubectl auth can-i delete nodes
We can also check for any other users as below:-$kubectl auth can-i create pods --as dev-user
$kubectl auth can-i create pods --as dev-user
$kubectl auth can-i create pods --as dev-user --namespace dev-env

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store