Skip to content


Links: 111 KodeCloud Index


  • We create a role by creating a role object.
  • Each rule has 3 sections
    • apiGroups: For the core group we can leave the apiGroups blank. For any other group we specify the group name.
    • resources
      • We can restrict access to particular resources by specifying the resourceNames field.
      • attachments/Pasted image 20221008194459.jpg
    • verbs: actions the users of these roles can take.
We can have multiple rules for a single role.
  • Simple rbac

    kind: Role
        namespace: default
        name: developer
    - apiGroups: [""]
      resources: ["pods"]
      verbs: ["list", "get", "create", "update", "delete"]
    - apiGroups:
      resources: ["ConfigMap"]
      verbs: ["create"]

  • After creating the role we need to link the user to the role.

    • For this we create a RoleBinding object. It links a user object to a role
  • Simple role binding

    kind: RoleBinding
        name: devuser-developer-binding
    - kind: User
      name: dev-user
      kind: Role
      name: developer

Roles and RoleBindings fall under the scope of namespaces.

In the above example the dev user gets access to pods within the default namespace. If we don't specify the namespace they are created in the default namespace. attachments/Pasted image 20221008202019.jpg

  • View the roles: k get roles
  • View the role bindings: k get rolebindings

  • Checking if as a user we have access to a particular resource in a cluster

    • k auth can-i create deployments or k auth can-i delete pods
  • If we are an administrator then we can impersonate another user to check their permissions.
    • k auth can-i create pods --as <user-name>
  • We can also specify the namespace using
    • k auth can-i create pods --as <user-name> --namespace test

Last updated: 2022-10-08