RBAC (Role-Based Access Control)

Kubernetes Role-Based Access Control (RBAC) allows you to regulate access to resources based on the roles of individual users within your cluster. SRExpert provides a visual interface to manage RBAC resources.

Overview

RBAC in Kubernetes uses four main resource types:

Key Concepts

Roles vs Cluster Roles

• Roles are namespace-scoped and can only grant access to resources within a single namespace
• Cluster Roles are cluster-scoped and can grant access to cluster-wide resources (like nodes) or resources in all namespaces

Bindings

Bindings connect roles to subjects (users, groups, or service accounts):

• Role Bindings grant the permissions defined in a Role to subjects within the same namespace
• Cluster Role Bindings grant the permissions defined in a Cluster Role to subjects across the entire cluster

Accessing RBAC in SRExpert

Navigate to Security > RBAC & Access (route /security?view=rbac) to manage RBAC resources. The page organizes everything into tabs:

1. Roles - Namespace-scoped permission sets
2. ClusterRoles - Cluster-wide permission sets
3. RoleBindings - Connect roles to subjects within a namespace
4. ClusterRoleBindings - Connect cluster roles to subjects cluster-wide
5. Permission Analysis - Review effective permissions across subjects
6. Audit & Compliance - Audit RBAC configuration for compliance

Network Policies are also available under the RBAC & Access category (route /security?view=network-policies), in addition to the Workloads section.

Best Practices

1. Principle of Least Privilege - Grant only the minimum permissions necessary
2. Use Namespaces - Organize resources and limit role scope using namespaces
3. Avoid Wildcards - Be specific about resources and verbs instead of using *
4. Regular Audits - Periodically review roles and bindings to remove unnecessary permissions
5. Use Groups - Bind roles to groups rather than individual users when possible