Role-Based Access Control (RBAC)

Kubernetes implements a least-privilege RBAC subsystem. When enabled, it locks down a cluster and allows you to grant permissions based on specific users and groups.

The model is based on three major components:

  • Subjects
  • Operations
  • Resources

Subjects are users and groups, and these must be managed outside of Kubernetes. Operations are what the subject is allowed to do (create, list, delete, etc.). Resources are objects on the cluster, such as Pods. Put the three together, and you have an RBAC rule. For example, Abi (subject) is allowed to create (operation) Pods (resource).

RBAC has been stable (v1) since Kubernetes 1.8 and leverages two objects that are defined in the authorization.rbac.k8s.io API group. The two objects are Roles and RoleBindings. The Role is where you define the resource and the operation that you want to allow, and the RoleBinding connects it with a subject.

Get hands-on with 1200+ tech skills courses.