Skip to main content
The RBAC (Role-Based Access Control) section helps you understand and manage access control in your Kubernetes cluster.

Overview

Kubernetes RBAC controls who can do what in your cluster:
  • Roles - Namespace-scoped permissions
  • ClusterRoles - Cluster-wide permissions
  • RoleBindings - Grant Roles to users/groups in a namespace
  • ClusterRoleBindings - Grant ClusterRoles cluster-wide
  • ServiceAccounts - Identities for pods and services

Accessing RBAC Resources

Navigate to your cluster and click Kubernetes in the sidebar. RBAC resources include:
ResourcePath
RolesKubernetes → Roles
ClusterRolesKubernetes → Cluster Roles
RoleBindingsKubernetes → Role Bindings
ClusterRoleBindingsKubernetes → Cluster Role Bindings
ServiceAccountsKubernetes → Service Accounts

Roles and ClusterRoles

Roles define what actions are allowed on which resources.

Roles (Namespace-scoped)

Roles grant permissions within a specific namespace.
ColumnDescription
NameRole name
NamespaceNamespace where role exists
RulesNumber of permission rules
AgeTime since creation

ClusterRoles (Cluster-wide)

ClusterRoles grant permissions across all namespaces or on cluster-scoped resources.
ColumnDescription
NameClusterRole name
RulesNumber of permission rules
AggregationWhether it aggregates other roles
AgeTime since creation

Rule Details

Click a Role or ClusterRole to view its rules:
FieldDescription
API GroupsWhich API groups ("" for core, apps, batch, etc.)
ResourcesResource types (pods, deployments, secrets, etc.)
VerbsAllowed actions (get, list, create, update, delete, etc.)
Resource NamesSpecific resource names (optional)

Common Verbs

VerbDescription
getRead a single resource
listList resources
watchWatch for changes
createCreate new resources
updateModify existing resources
patchPartially update resources
deleteRemove resources
deletecollectionDelete multiple resources

Built-in ClusterRoles

RoleDescription
cluster-adminFull cluster access
adminFull namespace access
editRead/write most resources
viewRead-only access

RoleBindings and ClusterRoleBindings

Bindings connect Roles to users, groups, or service accounts.

RoleBindings (Namespace-scoped)

Grant a Role’s permissions within a specific namespace.
ColumnDescription
NameBinding name
NamespaceNamespace where binding applies
RoleReferenced Role or ClusterRole
SubjectsUsers, groups, or service accounts
AgeTime since creation

ClusterRoleBindings (Cluster-wide)

Grant a ClusterRole’s permissions across all namespaces.
ColumnDescription
NameBinding name
RoleReferenced ClusterRole
SubjectsUsers, groups, or service accounts
AgeTime since creation

Subject Types

TypeDescription
UserIndividual user identity
GroupGroup of users
ServiceAccountKubernetes service account

Binding Details

Click a binding to view:
  • Role Reference - The Role or ClusterRole being granted
  • Subjects - Who receives the permissions

ServiceAccounts

ServiceAccounts provide identities for pods and applications.

Viewing ServiceAccounts

ColumnDescription
NameServiceAccount name
NamespaceKubernetes namespace
SecretsNumber of associated secrets
AgeTime since creation

ServiceAccount Details

Click a ServiceAccount to view:
  • Secrets - Associated token secrets
  • Image Pull Secrets - Registry credentials
  • Automount Token - Whether token is auto-mounted to pods
  • Used By - Pods using this service account

Default ServiceAccount

Every namespace has a default ServiceAccount. Pods use it unless another is specified: 
spec:
  serviceAccountName: my-service-account

Common Patterns

Viewing Who Has Access

  1. Navigate to ClusterRoleBindings or RoleBindings
  2. Search for bindings referencing a specific role
  3. View the Subjects to see who has that role

Checking a ServiceAccount’s Permissions

  1. Find the ServiceAccount in Service Accounts
  2. Navigate to RoleBindings and ClusterRoleBindings
  3. Filter for bindings where the subject is this ServiceAccount
  4. View the referenced Roles to see granted permissions

Least Privilege Principle

When creating new roles:
  1. Start with minimal permissions
  2. Add specific verbs and resources as needed
  3. Use Roles instead of ClusterRoles when possible
  4. Avoid wildcard (*) permissions in production

RBAC Examples

Read-only Access to Pods

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
  namespace: default
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]

Deployment Manager

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: deployment-manager
  namespace: default
rules:
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

Binding to a ServiceAccount

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: deployment-manager-binding
  namespace: default
subjects:
- kind: ServiceAccount
  name: deploy-bot
  namespace: default
roleRef:
  kind: Role
  name: deployment-manager
  apiGroup: rbac.authorization.k8s.io

Troubleshooting RBAC

”Forbidden” Errors

When you see Error from server (Forbidden):
  1. Check which user/ServiceAccount is making the request
  2. Find bindings for that subject
  3. Verify the Role includes the necessary verb and resource
  4. Check the correct namespace for RoleBindings

Debugging Steps

  1. Check the user/SA:
    • What identity is making the request?
  2. Find bindings:
    • Search RoleBindings/ClusterRoleBindings for the subject
  3. Check the Role:
    • Verify rules include the required verb + resource
  4. Namespace scope:
    • Is it a namespaced resource? Is the RoleBinding in the right namespace?

Tips

Use Groups: Bind roles to groups rather than individual users for easier management.
Audit Bindings: Regularly review ClusterRoleBindings for cluster-admin access.
Namespace Isolation: Use Roles and RoleBindings to isolate teams to their namespaces.
Service Account Tokens: Disable automounting of tokens for pods that don’t need cluster access.
Still have questions? Join our Slack community and we’ll help out.