Kubernetes RBAC (Role-Based Access Control)¶

Kubernetes RBAC is a security mechanism used to regulate access to the Kubernetes API server based on the roles of individual users within an enterprise.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md] It is the standard authorization mode used to manage permissions, ensuring that users and service accounts have the minimum level of access required to perform their tasks.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]

In Kubernetes, Authorization is distinct from Authentication. While Authentication confirms the identity of a user (e.g., via X.509 certificates or tokens), Authorization determines what actions that identity is allowed to perform on specific resources (e.g., creating or deleting pods).^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]

RBAC Objects¶

The RBAC authorization strategy is implemented using four primary Kubernetes objects: Role, ClusterRole, RoleBinding, and ClusterRoleBinding.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]

Roles vs. ClusterRoles¶

Both Role and ClusterRole define a set of permissions (rules) within the RBAC system, but they differ in scope.

Role: A Role sets permission rules within a specific namespace.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md] It is used to grant access to resources like pods, deployments, or secrets, but only within that namespace.
ClusterRole: A ClusterRole is a non-namespaced resource that defines permissions for the entire cluster.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md] It is used for cluster-scoped resources (like nodes) or to grant permissions across all namespaces.

A Role or ClusterRole contains rules, which specify the API Groups, Resources, and Verbs (actions like get, list, create, delete) allowed.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]

Bindings¶

Roles and ClusterRoles define permissions, but they do not apply them to users directly. Bindings are required to associate a role with a subject (user, group, or service account).

RoleBinding: Grants the permissions defined in a Role (or ClusterRole) to a user within a specific namespace.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]
ClusterRoleBinding: Grants permissions across the entire cluster.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]

Subjects¶

In RBAC configurations, the subjects field specifies the entities being granted permissions.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md] These can be:

User: A user entity, often identified by a string like an email address or a username derived from a certificate.
Service Account: Namespaced accounts intended for processes running in pods.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]
Group: A set of users. Kubernetes recognizes system groups (e.g., system:authenticated or system:unauthenticated) or allows custom group names to be linked to users (e.g., via the O field in X.509 certificates).^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]

Usage in Helm charts ¶

RBAC is frequently configured within application deployment tools such as Helm. For example, the Jenkins Helm chart includes parameters to manage RBAC resources, such as rbac.create to toggle resource creation and rbac.readSecrets to permit the service account to read Kubernetes Secrets.^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md]

Workflow Example¶

A standard RBAC workflow involves: 1. Authentication: Creating a user (e.g., via X.509 certificates). 2. Role Definition: Creating a Role or ClusterRole YAML file specifying allowed verbs and resources. 3. Binding: Creating a RoleBinding to link the Role to the User.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]

Once applied, the user can verify their permissions using kubectl auth can-i.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]

Kubernetes
[[Service Accounts]]
Helm

Sources¶

400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md
400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md