Kubernetes RBAC rule structure¶
In Kubernetes RBAC (Role-Based Access Control), permissions are defined within a rules list contained in [[Role]] or [[ClusterRole]] resources.^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md] A single rule explicitly grants access to specific API operations on designated resources.^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md]
Rule Components¶
To construct a valid RBAC rule, three primary fields must be declared:^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md]
apiGroups: Specifies the API group to which the resources belong. An empty string""indicates the core API group (legacy v1 resources), while other groups might includeapps,batch, orextensions.^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md]resources: Lists the Kubernetes object types affected by the rule, such aspods,deployments,services, orsecrets.^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md]verbs: Defines the allowed actions or operations that can be performed on the resources. Common verbs includeget,list,watch,create,delete, andupdate.^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md]
Structure Example¶
The following YAML snippet demonstrates a rule definition within a Role:^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md]
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]
Role vs. ClusterRole¶
While the rule structure is identical for both resource types, the scope of permission depends on whether the rule is placed inside a Role or a ClusterRole.^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md]
- Role: Rules are scoped to a specific namespace.^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md]
- ClusterRole: Rules are cluster-scoped and do not define a
namespace, allowing them to grant permissions across the entire cluster or at the cluster-level.^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md]
Sources¶
400-devops-06-kubernetes-k8s-ithelp-day29-readme.md