Kubernetes RoleBinding and ClusterRoleBinding¶

In Kubernetes, RoleBinding and ClusterRoleBinding are resources used to grant permissions defined in Roles or ClusterRoles to users, groups, or service accounts.^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md] While Roles define what can be done, bindings define who can do it by linking subjects (users) to the permissions.^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md]

RoleBinding¶

A RoleBinding grants permissions within a specific namespace.^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md] It links a subject (like a User or ServiceAccount) to a Role or a ClusterRole, effectively applying the rules defined in that role to the subject within the binding's namespace.^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md]

For example, to grant a user read-only access to Pods in the default namespace, you would create a RoleBinding in that namespace referencing the user and the relevant Role.^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md] If you attempt to access resources in a different namespace where no binding exists, the request will be denied.^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md]

Configuration¶

A RoleBinding resource requires two main sections: * subjects: The list of users, groups, or service accounts to grant permissions to. * roleRef: A reference to the Role or ClusterRole being bound.^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md]

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pod-viewer-rolebinding
  namespace: default
subjects:
  - kind: User
    name: pod-viewer
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-viewer
  apiGroup: rbac.authorization.k8s.io

^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md]

Subject Types¶

The subjects field can reference several types of entities:^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md]

User: A specific user, typically identified by a certificate Common Name (CN) or external provider.
```
- kind: User
  name: "alice@example.com"
  apiGroup: rbac.authorization.k8s.io
```

ServiceAccount: A service account within a specific namespace.

- kind: ServiceAccount
  name: default
  namespace: kube-system

Group: A logical grouping of users.

- kind: Group
  name: system:serviceaccounts:qa
  apiGroup: rbac.authorization.k8s.io

^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md]

ClusterRoleBinding¶

A ClusterRoleBinding is used to grant permissions across the entire cluster and all namespaces.^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md] It is typically used to bind a ClusterRole to subjects that need cluster-wide administrative access or permissions that are not scoped to a single namespace.

Because ClusterRoleBindings allow access to all resources cluster-wide, they should be used with caution to adhere to the principle of least privilege.^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md]

[[RBAC]]
Role vs ClusterRole
[[Authentication]]
[[Service Account]]
Kubernetes Namespace

Sources¶

^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md]

Kubernetes RoleBinding and ClusterRoleBinding¶

RoleBinding¶

Configuration¶

Subject Types¶

ClusterRoleBinding¶

Related Concepts¶

Sources¶