RBAC (Role-Based Access Control)
Kubernetes Role-Based Access Control (RBAC) allows you to regulate access to resources based on the roles of individual users within your cluster. SRExpert provides a visual interface to manage RBAC resources.
Overview
RBAC in Kubernetes uses four main resource types:
| Resource | Scope | Description |
|---|---|---|
| Roles | Namespace | Define permissions within a specific namespace |
| Role Bindings | Namespace | Grant permissions defined in a Role to users/groups |
| Cluster Roles | Cluster-wide | Define permissions across the entire cluster |
| Cluster Role Bindings | Cluster-wide | Grant cluster-wide permissions to users/groups |
Key Concepts
Roles vs Cluster Roles
- Roles are namespace-scoped and can only grant access to resources within a single namespace
- Cluster Roles are cluster-scoped and can grant access to cluster-wide resources (like nodes) or resources in all namespaces
Bindings
Bindings connect roles to subjects (users, groups, or service accounts):
- Role Bindings grant the permissions defined in a Role to subjects within the same namespace
- Cluster Role Bindings grant the permissions defined in a Cluster Role to subjects across the entire cluster
Accessing RBAC in SRExpert
Navigate to Workloads > Access Control to manage RBAC resources:
- Service Accounts - Kubernetes service accounts used by pods
- Roles - Namespace-scoped permission sets
- Role Bindings - Connect roles to subjects within a namespace
- Cluster Roles - Cluster-wide permission sets
- Cluster Role Bindings - Connect cluster roles to subjects cluster-wide
Best Practices
- Principle of Least Privilege - Grant only the minimum permissions necessary
- Use Namespaces - Organize resources and limit role scope using namespaces
- Avoid Wildcards - Be specific about resources and verbs instead of using
* - Regular Audits - Periodically review roles and bindings to remove unnecessary permissions
- Use Groups - Bind roles to groups rather than individual users when possible