Role-Based Access Control (RBAC)

Kubernetes implements a least-privilege RBAC subsystem. When enabled, it locks down a cluster and allows you to grant permissions based on specific users and groups.

The model is based on three major components:

Subjects
Operations
Resources

Subjects are users and groups, and these must be managed outside of Kubernetes. Operations are what the subject is allowed to do (create, list, delete, etc.). Resources are objects on the cluster, such as Pods. Put the three together, and you have an RBAC rule. For example, Abi (subject) is allowed to create (operation) Pods (resource).

RBAC has been stable (v1) since Kubernetes 1.8 and leverages two objects that are defined in the authorization.rbac.k8s.io API group. The two objects are Roles and RoleBindings. The Role is where you define the resource and the operation that you want to allow, and the RoleBinding connects it with a subject.

Get hands-on with 1200+ tech skills courses.

Kubernetes Primer

Kubernetes Principles of Operation

Installing Kubernetes

Working With Pods: Theory

Working With Pods: Hands-On

Kubernetes Deployments

Kubernetes Services: Theory

Kubernetes Services: Hands-On

Service Discovery

Kubernetes Storage

ConfigMaps

StatefulSets

Threat Modeling Kubernetes

Real-World Kubernetes Security

Conclusion

APPENDIX A: Other Important Stuff

Role-Based Access Control (RBAC)