Kubernetes RBAC: Role-Based Access Control Demystified

2 min read

Kubernetes RBAC (Role-Based Access Control)

Role-Based Access Control (RBAC) is a critical Kubernetes feature that regulates access to cluster resources based on user roles. By defining who can do what, RBAC ensures a secure and controlled Kubernetes environment, aligning with the principle of least privilege.

In this article, we’ll explore the key concepts, components, and examples to understand how to implement RBAC in Kubernetes.

Key Concepts of RBAC

1. Subject

A subject represents the entity requesting access to the Kubernetes API. It can be:

  • Users: Human or service accounts interacting with the cluster.
  • Groups: Logical collections of users.
  • Service Accounts: Accounts specifically for Pods to interact with the API server.

2. Role and ClusterRole

  • Role: Defines permissions within a specific namespace.
  • ClusterRole: Similar to a Role but applicable cluster-wide.

3. RoleBinding and ClusterRoleBinding

  • RoleBinding: Associates a Role with a Subject within a namespace.
  • ClusterRoleBinding: Associates a ClusterRole with a Subject at the cluster level.

RBAC API Group

RBAC resources belong to the rbac.authorization.k8s.io API group. These resources include:

  • Role
  • ClusterRole
  • RoleBinding
  • ClusterRoleBinding

RBAC Workflow

  1. Create a Role or ClusterRole: Define the permissions for accessing resources.
  2. Create a RoleBinding or ClusterRoleBinding: Link the Role/ClusterRole to a Subject.
  3. Verify Access: Use the kubectl auth can-i command to validate permissions.

Examples of RBAC

1. Create a Role

This Role allows a user to perform read-only actions (get, list, watch) on Pods in a namespace.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]

2. Create a RoleBinding

Bind the pod-reader Role to a user named john.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pod-reader-binding
  namespace: default
subjects:
  - kind: User
    name: john
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

3. Create a ClusterRole

This ClusterRole grants permissions to read Secrets cluster-wide.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: secret-reader
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]

4. Create a ClusterRoleBinding

Bind the secret-reader ClusterRole to a service account in the kube-system namespace.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: secret-reader-binding
subjects:
  - kind: ServiceAccount
    name: default
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io

Best Practices for Using RBAC

1. Principle of Least Privilege

  • Assign the minimum required permissions to users and service accounts.

2. Use Namespaces for Isolation

  • Scope Roles and RoleBindings to namespaces for better control.

3. Regularly Audit RBAC Policies

  • Use tools like kubectl describe and kubectl auth can-i to verify RBAC configurations.

4. Prefer Role and RoleBinding Over ClusterRole and ClusterRoleBinding

  • Limit permissions to specific namespaces unless cluster-wide access is necessary.

5. Restrict Default Service Accounts

  • Disable the default service account in namespaces where it isn’t needed.

Verifying RBAC Configurations

Use the kubectl auth can-i command to verify a user’s permissions.

Example:

kubectl auth can-i get pods --namespace=default

Output:

  • yes: The user has the required permission.
  • no: The user lacks the required permission.

Common Use Cases

1. Read-Only Access to Resources

Grant a developer read-only access to Pods and Deployments.

2. Administrator Access

Provide cluster administrators full access to manage all resources.

3. Restricting Sensitive Resources

Limit access to Secrets and ConfigMaps to specific service accounts or roles.

RBAC Troubleshooting

  • Permissions Denied: Check the Role, RoleBinding, or ClusterRoleBinding configuration.
  • Resource Misalignment: Ensure the apiGroups, resources, and verbs in the Role match the intended permissions.

Conclusion

RBAC is a foundational security feature in Kubernetes, enabling precise control over who can access what resources. By carefully defining Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings, you can ensure a secure and well-governed Kubernetes environment.