Kubernetes

RBAC Commands

Secure your cluster with fine-grained access control. Learn Roles, ClusterRoles, RoleBindings, and how to implement least-privilege access for users and service accounts.

10 commands

Pro Tips

Use 'kubectl auth can-i' to check if a user/service account has specific permissions.

Create namespace-scoped Roles for most cases. Use ClusterRoles only when truly cluster-wide access is needed.

Use 'kubectl auth can-i --list' to see all permissions for the current user in current namespace.

Common Mistakes

Avoid using 'cluster-admin' ClusterRole except for break-glass scenarios. It grants full cluster access.

Service accounts inherit the 'default' SA permissions if not specified. Always create dedicated SAs.

Commands

List roles

$ kubectl get roles

List all roles in namespace.

List cluster roles

$ kubectl get clusterroles

List all cluster-wide roles.

List role bindings

$ kubectl get rolebindings

List all role bindings in namespace.

Create role

$ kubectl create role <name> --verb=get,list --resource=pods

Create a role with specific permissions.

Create role binding

$ kubectl create rolebinding <name> --role=<role> --serviceaccount=<ns>:<sa>

Bind a role to a service account.

Check permissions

$ kubectl auth can-i get pods

Check if you can perform an action.

Check permissions as user

$ kubectl auth can-i get pods --as=system:serviceaccount:ns:sa

Check permissions as another identity.

Who am I

$ kubectl auth whoami

Show current user/service account identity.

List service accounts

$ kubectl get serviceaccounts

List all service accounts in namespace.

Create service account

$ kubectl create serviceaccount <name>

Create a new service account.