Skip to content

RBAC Permission Rules

In Kubernetes, RBAC Permission Rules are the specific configurations defined within Role or ClusterRole resources that determine what actions are permitted on specific API resources^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]. These rules form the core of the authorization mechanism, allowing administrators to enforce the principle of least privilege^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md].

Rule Structure

A single permission rule is defined by a collection of three main properties:

  • apiGroups: Specifies the API Group to which the resource belongs. The core group is represented by an empty string "", while other groups include apps, batch, or extensions^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md].
  • resources: Lists the specific Kubernetes objects targeted by the rule, such as pods, deployments, services, or secrets^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md].
  • verbs: Defines the allowable actions (verbs) that can be performed on the resources^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]. Common verbs include:
    • get, list, watch: For reading resources^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md].
    • create: For creating new resources^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md].
    • update, patch: For modifying existing resources^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md].
    • delete: For removing resources^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md].

Role vs. ClusterRole

While the rules themselves are structurally similar, their scope depends on the resource type they are defined within:

  • Role: Contains rules that grant permissions within a specific namespace^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md].
  • ClusterRole: Contains rules that grant permissions at the cluster level^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]. Unlike Roles, ClusterRoles are non-namespaced resources and are used for cluster-scoped resources or to grant permissions across all namespaces^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md].

Example

The following example defines a rule within a Role that allows reading pods in the default namespace^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]:

rules:
- apiGroups: [""] 
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
  • [[RBAC]]
  • [[Service Account]]
  • [[RoleBinding]]

Sources

^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]