Role vs ClusterRole¶

In Kubernetes [[RBAC]] (Role-Based Access Control), Role and ClusterRole are resources that define a set of permission rules.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md] They determine what actions (verbs) can be performed on specific resources within the Kubernetes API.

Scope of Access¶

The primary distinction between the two lies in their scope within the cluster infrastructure^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md].

• Role: Defines access permissions within a specific namespace^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]. It is namespaced, meaning the permissions granted by a Role are strictly limited to resources within that designated namespace.
• ClusterRole: Is a cluster-scoped resource^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]. It does not belong to any specific namespace and can define permissions for resources cluster-wide or across specific namespaces depending on how it is bound.

Structure and Definition¶

Both resources are composed of Rules^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]. A rule must declare three parts^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]:

1. apiGroups: The API group to which the resources belong (e.g., "" for the core group, apps, batch).
2. resources: The type of resource (e.g., pods, deployments, services).
3. verbs: The actions allowed (e.g., get, list, watch, create, delete).

When defining the resource, a Role must include a metadata.namespace field^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md], whereas a ClusterRole does not^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md].

Usage Contexts¶

• Role: Typically used for granular access control within a single application or team boundary (namespace).
• ClusterRole: Essential for defining permissions that need to apply across all namespaces (e.g., viewing nodes in all namespaces) or for managing cluster-scoped resources like Nodes themselves^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]. Without ClusterRole, administrators would have to bind a separate Role for every namespace individually, which would be inefficient and difficult to manage^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md].

Binding¶

To grant permissions defined in a Role or ClusterRole to a user, group, or [[Service Account]], you must use a Binding:

• RoleBinding: Grants the permissions from a Role (or a ClusterRole) to a user within a specific namespace^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md].
• ClusterRoleBinding: Grants the permissions from a ClusterRole to a user across the entire cluster^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md].

Sources¶

• 400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md

Related¶

• [[RBAC]]
• [[Service Account]]
• Kubernetes