By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
(Roles, RoleBindings, ClusterRoles, ClusterRoleBindings)
RBAC (Role-Based Access Control) in Kubernetes is how you control who can do what in your cluster. Think of it like a security badge system in an office: - Roles define what actions are allowed (e.g., "read files," "open doors").- RoleBindings assign those roles to who (users, service accounts, groups).- ClusterRoles and ClusterRoleBindings do the same, but cluster-wide (not just in one namespace).
kubectl
staging
kubectl delete --all
You’re a DevOps engineer at a fintech startup. Your CI/CD pipeline deploys to production, but a junior dev accidentally merges a PR that deletes all pods in default. Without RBAC, the pipeline has full admin access—game over. With RBAC, you restrict the CI/CD service account to only deploy to production and nothing else.
production
default
verbs
get
secrets
RoleBinding
Role
cluster-admin
ClusterRoleBinding
list
create
delete
watch
patch
kubectl get pods --watch
pods
deployments
nodes
*
pods/my-pod
secrets/db-password
ci-cd
Create a service account for CI/CD that can only deploy to ci-cd namespace and cannot touch anything else.
kubectl create namespace ci-cd
kubectl create serviceaccount ci-cd-sa -n ci-cd
Verify:
kubectl get serviceaccounts -n ci-cd
Output:
NAME SECRETS AGE ci-cd-sa 1 5s default 1 10s
Create role.yaml:
role.yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: ci-cd name: ci-cd-deployer rules: - apiGroups: ["", "apps", "batch"] # "" = core API group resources: ["pods", "deployments", "jobs", "services"] verbs: ["get", "list", "create", "update", "delete", "patch"]
Apply:
kubectl apply -f role.yaml
Create rolebinding.yaml:
rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: ci-cd-deployer-binding namespace: ci-cd subjects: - kind: ServiceAccount name: ci-cd-sa namespace: ci-cd roleRef: kind: Role name: ci-cd-deployer apiGroup: rbac.authorization.k8s.io
kubectl apply -f rolebinding.yaml
Get the service account token:
kubectl get secret -n ci-cd $(kubectl get serviceaccount ci-cd-sa -n ci-cd -o jsonpath='{.secrets[0].name}') -o jsonpath='{.data.token}' | base64 --decode
Save the token to a variable:
TOKEN=$(kubectl get secret -n ci-cd $(kubectl get serviceaccount ci-cd-sa -n ci-cd -o jsonpath='{.secrets[0].name}') -o jsonpath='{.data.token}' | base64 --decode)
Test access (should work):
kubectl --token=$TOKEN -n ci-cd get pods
Test access (should fail):
kubectl --token=$TOKEN -n default get pods
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:ci-cd:ci-cd-sa" cannot list resource "pods" in API group "" in the namespace "default"
If CI/CD needs to read cluster-wide resources (e.g., nodes), create a ClusterRole:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ci-cd-reader rules: - apiGroups: [""] resources: ["nodes", "namespaces"] verbs: ["get", "list"]
Bind it with a ClusterRoleBinding:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: ci-cd-reader-binding subjects: - kind: ServiceAccount name: ci-cd-sa namespace: ci-cd roleRef: kind: ClusterRole name: ci-cd-reader apiGroup: rbac.authorization.k8s.io
kubectl apply -f clusterrole.yaml -f clusterrolebinding.yaml
Test:
kubectl --token=$TOKEN get nodes
resources: ["*"]
verbs: ["*"]
dev
prod
team-resource-verb
dev-pods-reader
team-resource-verb-binding
dev-pods-reader-binding
environment: prod
kubectl apply
kubectl auth can-i
bash kubectl auth can-i create pods --as=system:serviceaccount:ci-cd:ci-cd-sa -n ci-cd
apiGroups
forbidden
apps
resources
❌ ClusterRole and ClusterRoleBinding (cluster-wide).
"How do you grant a user read-only access to all pods in a namespace?"
Create a Role with verbs: ["get", "list"] and bind it with a RoleBinding.
verbs: ["get", "list"]
"What’s the difference between a Role and a ClusterRole?"
ClusterRole = Cluster-wide (e.g., nodes, namespaces).
namespaces
"How do you check if a service account can delete pods?" bash kubectl auth can-i delete pods --as=system:serviceaccount:namespace:sa-name
bash kubectl auth can-i delete pods --as=system:serviceaccount:namespace:sa-name
"You need to allow a CI/CD pipeline to deploy to staging but not production. How?"- ✅ Answer: - Create a Role in staging with verbs: ["create", "update", "delete"] on deployments. - Bind it to the CI/CD ServiceAccount with a RoleBinding. - Do not grant any permissions in production.
verbs: ["create", "update", "delete"]
A monitoring tool (Prometheus) needs to read all pods and nodes in the cluster but should not modify anything. Create the minimal RBAC setup for it.
bash kubectl apply -f prometheus-clusterrole.yaml -f prometheus-clusterrolebinding.yaml
kubectl apply -f clusterrole.yaml
kubectl apply -f clusterrolebinding.yaml
kubectl auth can-i create pods --as=system:serviceaccount:ns:sa-name
kubectl get roles -n namespace
-A
kubectl get rolebindings -n namespace
kubectl get clusterroles
kubectl get clusterrolebindings
RBAC is not optional in production. Start restrictive, then loosen permissions as needed. A single misconfigured ClusterRoleBinding can take down your entire cluster—test everything with kubectl auth can-i.
Now go lock down your cluster! ?
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.