RoleBinding vs ClusterRoleBinding¶

In Kubernetes RBAC (Role-Based Access Control), permissions are defined within Role or ClusterRole objects, but these permissions are not effective until they are bound to a subject (such as a User, Group, or ServiceAccount). This binding is performed using either a RoleBinding or a ClusterRoleBinding.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]

The primary difference between the two lies in their scope: RoleBinding grants permissions within a specific namespace, while ClusterRoleBinding grants permissions across the entire cluster.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]

RoleBinding¶

A RoleBinding grants the permissions defined in a Role (or ClusterRole) to a subject within a specific namespace.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md] It is namespaced, meaning the binding object itself and the permissions it grants are restricted to the namespace defined in its metadata.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]

Characteristics¶

• Namespace Scope: The binding only applies to the namespace specified in the RoleBinding configuration.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]
• Reference Targets: It can bind to a Role within the same namespace.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]
• ClusterRole Usage: It can also bind to a ClusterRole. When a RoleBinding references a ClusterRole, it allows the administrator to grant the permissions defined in that cluster-wide resource to subjects within a specific namespace.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]

Example¶

The following example demonstrates a RoleBinding in the default namespace that grants a user permissions defined in a local Role.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]

# role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pod-viewer-rolebinding
  namespace: default
subjects:
  - kind: User
    name: pod-viewer
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-viewer
  apiGroup: rbac.authorization.k8s.io

ClusterRoleBinding¶

A ClusterRoleBinding is a non-namespaced resource that grants permissions to subjects across all namespaces in the cluster.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md] It is typically used to grant administrative privileges or permissions that need to be available globally regardless of namespace boundaries.

Characteristics¶

• Cluster Scope: Unlike RoleBinding, it does not have a namespace field and applies to the entire cluster.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]
• Reference Targets: It binds a ClusterRole to subjects.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]
• Purpose: Essential for system-wide roles, such as allowing a user to view nodes or manage resources across any namespace.

Subjects¶

Both binding types support similar subjects, including: * User: A specific user entity (e.g., alice@example.com).^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md] * ServiceAccount: A service account within a specific namespace (e.g., default in kube-system).^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md] * Group: A collection of users, often utilizing system prefixes like system:authenticated or system:serviceaccounts:qa.^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]

Comparison Summary¶

Sources¶

^[400-devops__06-Kubernetes__k8s-ithelp__Day29__README.md]