RBAC Subjects¶

In Kubernetes [[RBAC]] configurations, Subjects represent the entity mappings that are granted permissions defined in a Role or ClusterRole. They define who is being granted access within a RoleBinding or ClusterRoleBinding resource^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md].

Subject Types¶

There are three primary kinds of subjects that can be specified in a binding configuration^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]:

User¶

A User represents a specific human or process identity operating outside the cluster (often authenticated via X.509 certificates).^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]

Example configuration:

subjects:
- kind: User
  name: "alice@example.com"
  apiGroup: rbac.authorization.k8s.io

ServiceAccount¶

A ServiceAccount is an identity for processes that run inside a Pod^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]. Unlike Users, ServiceAccounts are namespaced resources^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md].

Example configuration:

subjects:
- kind: ServiceAccount
  name: default
  namespace: kube-system

Group¶

A Group is used to grant permissions to a collection of users or service accounts simultaneously^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]. Kubernetes automatically assigns several groups, and administrators can manage others via authentication modules^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md].

Common special groups include: * system:serviceaccounts:<namespace>: Grants access to all service accounts within a specific namespace^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]. * system:authenticated: Represents all authenticated users^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]. * system:unauthenticated: Represents all unauthenticated users^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md].

Example configuration:

subjects:
- kind: Group
  name: system:serviceaccounts:qa
  apiGroup: rbac.authorization.k8s.io

Constraints¶

The system: prefix is reserved by Kubernetes for system use^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]. Configured usernames or group names must not use this prefix to avoid conflicts^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md].

Related¶

• [[RBAC]]
• [[Authentication]]
• [[Service Account]]

Sources¶

^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]