Skip to content

RBAC ClusterRoleBinding

A ClusterRoleBinding is a Kubernetes API resource used within the Role-Based Access Control (RBAC) system to grant permissions defined in a [[ClusterRole]] to a user, group, or [[ServiceAccount]] across the entire cluster^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md].

Definition and Scope

Unlike a standard RoleBinding, which is namespace-scoped, a ClusterRoleBinding operates at the cluster level^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md]. This allows it to grant permissions that apply to all namespaces, making it suitable for administrative tasks or cluster-wide operations.

Resource Structure

A ClusterRoleBinding resource is defined with fields for apiVersion, kind, metadata, roleRef, and subjects^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md].

RoleRef

The roleRef section specifies the [[ClusterRole]] being bound^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md]. * kind: Must be ClusterRole^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md]. * name: The name of the ClusterRole (e.g., cluster-admin)^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md]. * apiGroup: Typically set to rbac.authorization.k8s.io^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md].

Subjects

The subjects field contains a list of entities to which the permissions are granted^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md]. * kind: The type of subject, such as ServiceAccount, User, or Group^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md]. * name: The name of the subject^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md]. * namespace: The namespace where the subject resides (required for ServiceAccounts)^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md].

Example: Granting Cluster Admin

A common use case is granting a service account full cluster administrative privileges. Since Kubernetes often includes a built-in cluster-admin ClusterRole, administrators can bind to it rather than defining a new role^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md].

The following example creates a ClusterRoleBinding named cluster-admin-binding that grants the cluster-admin-tommy ServiceAccount in the kube-system namespace administrative access^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md]:

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cluster-admin-binding
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: cluster-admin-tommy
  namespace: kube-system

Usage Workflow

To implement access control using a ClusterRoleBinding, the typical workflow involves creating the target ServiceAccount, creating the binding via a YAML file, and then obtaining the credentials required to authenticate^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md].

  1. Create the ServiceAccount: Use kubectl create sa to generate the identity^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md].
  2. Apply the Binding: Use kubectl create -f to apply the ClusterRoleBinding configuration^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md].
  3. Retrieve Token: Extract the authentication token from the ServiceAccount's secret^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md].
  • [[RBAC]]
  • [[ServiceAccount]]
  • [[ClusterRole]]

Sources

^[400-devops-06-kubernetes-k8s-learning-01dashboard-dashboatdinstall.md]