Roles, ClusterRoles, RoleBinding and ClusterRoleBindings control user account permissions that control how they interact with resources deployed in the cluster. ClusterRoles and ClusterRoleBindings are non-namespaced resources. Roles and RoleBindings sets permissions and bind permissions in a specific namespace.
Kubernetes uses Role-based access control (RBAC) mechanisms to control the ability of users to perform a specific task on Kubernetes objects. Clusters bootstrapped with kubeadm have RBAC enabled by default.
Permissions to API resources are granted using Roles and ClusterRoles (the only difference being that clusterRoles apply to the entire cluster while regular roles apply to their namespace). Permissions are scoped to API resources and objects under the API resources. Verbs control what operations can be performed by each role.
Roles can be created imperatively using
kubectl create role. You can specify the API resources and verbs associated with the permissions the role will grant:
$ kubectl create role default-appmanager --resource pod,deploy,svc,ingresses --verb get,list,watch,create -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-appmanager namespace: default rules: - apiGroups: - "" resources: - pods - services verbs: - get - list - watch - create - delete - apiGroups: - apps resources: - deployments verbs: - get - list - watch - create - delete $
Roles and ClusterRoles are assigned to users and processes using RoleBindings and ClusterRoleBindings. RoleBindings associate a user, like a service account, with a Role. Any permissions granted by a Role are passed to the user through the RoleBinding.
Rolebindings can also be created imperatively using
kubectl create rolebinding. Rolebindings bind roles to users using the
--user flag and serviceAccounts using the
--serviceaccount flag. The following example binds the default-appmanager role to the default namespace’s default service account:
$ kubectl create rolebinding default-appmanager-rb \ --serviceaccount default:default \ --role default-appmanager rolebinding.rbac.authorization.k8s.io/default-appmanager-rb created $
Using this spec the Kubernetes scheduler will only assign the pod to a node bearing the disk=fast label.
Learn more about Role-Based Access Control