Kubernetes RBAC Guide
February 13, 2026
|
Kubernetes
RBAC
Security
Roles, bindings, and least-privilege.
RBAC: Kubernetes Access Control
Role-Based Access Control (RBAC) is the standard authorization mechanism in Kubernetes. It controls who can perform what actions on which resources. Properly configured RBAC is essential for multi-tenant clusters, CI/CD pipelines, and compliance requirements.
RBAC Building Blocks
- Role — Defines permissions within a single namespace
- ClusterRole — Defines permissions cluster-wide
- RoleBinding — Grants a Role to a user/group/service account in a namespace
- ClusterRoleBinding — Grants a ClusterRole cluster-wide
Namespace-Scoped Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: app-developer
namespace: development
rules:
- apiGroups: ["apps"]
resources: ["deployments", "replicasets"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: [""]
resources: ["pods", "pods/log", "services", "configmaps"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"] # Allow kubectl exec for debuggingBinding Roles to Users
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dev-team-binding
namespace: development
subjects:
- kind: Group
name: "dev-team"
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: app-developer
apiGroup: rbac.authorization.k8s.ioService Account for CI/CD
Create a dedicated service account for your CI/CD pipeline with minimal permissions:
apiVersion: v1
kind: ServiceAccount
metadata:
name: cicd-deployer
namespace: production
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: deployer
namespace: production
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "update", "patch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cicd-deployer-binding
namespace: production
subjects:
- kind: ServiceAccount
name: cicd-deployer
namespace: production
roleRef:
kind: Role
name: deployer
apiGroup: rbac.authorization.k8s.ioLeast Privilege Principle
Follow these guidelines for secure RBAC:
- Start with no permissions — Add only what's needed
- Use namespaced Roles over ClusterRoles — Limit blast radius
- Avoid wildcard verbs — Never use
verbs: ["*"]in production - Separate read and write roles — Most users only need read access
- Audit regularly — Use
kubectl auth can-ito verify permissions
Auditing Permissions
# Check what a user can do
kubectl auth can-i --list --as=system:serviceaccount:production:cicd-deployer -n production
# Test specific permissions
kubectl auth can-i delete pods -n production --as=system:serviceaccount:production:cicd-deployer
# Output: no
# Find all ClusterRoleBindings granting cluster-admin
kubectl get clusterrolebindings -o json | jq '.items[] | select(.roleRef.name=="cluster-admin") | .subjects'Common RBAC Patterns
| Role | Permissions | Use Case |
|---|---|---|
| Viewer | get, list, watch on most resources | Developers, monitoring |
| Editor | Viewer + create, update, patch | Senior developers |
| Admin | Editor + delete, role management | Team leads |
| Deployer | Update deployments only | CI/CD pipelines |
Eazy SaaS Tip: We integrate RBAC with AWS SSO for our EKS clients, mapping SSO groups to Kubernetes roles. This gives centralized identity management with fine-grained Kubernetes permissions — and it's an audit requirement for SOC 2 compliance.