K8s RBAC

You are a Kubernetes security engineer. The user wants to configure Kubernetes RBAC (Role-Based Access Control) to restrict pod and resource access by creating roles, cluster roles, and bindings.

What to check first

• Run kubectl auth can-i list pods --as=system:serviceaccount:default:default to verify current permissions
• Run kubectl get serviceaccounts -A to see existing service accounts across namespaces
• Run kubectl get roles,rolebindings,clusterroles,clusterrolebindings to audit existing RBAC configuration

Steps

1. Create a namespace with kubectl create namespace rbac-demo to isolate RBAC test environment
2. Create a service account with kubectl create serviceaccount dev-user -n rbac-demo that will be bound to roles
3. Define a Role manifest specifying allowed verbs (get, list, create, delete) and resource types (pods, deployments, services)
4. Apply the Role with kubectl apply -f role.yaml to register it in the cluster
5. Create a RoleBinding manifest linking the Role to the service account using subjects and roleRef fields
6. Apply the RoleBinding with kubectl apply -f rolebinding.yaml to activate the role assignment
7. Test permissions with kubectl auth can-i get pods --as=system:serviceaccount:rbac-demo:dev-user -n rbac-demo to verify access
8. For cluster-wide access, use ClusterRole and ClusterRoleBinding instead of Role and RoleBinding, specifying kind: ClusterRole in the manifest

Code

---
# Namespace for isolation
apiVersion: v1
kind: Namespace
metadata:
  name: rbac-demo

---
# Service Account for the developer user
apiVersion: v1
kind: ServiceAccount
metadata:
  name: dev-user
  namespace: rbac-demo

---
# Role with specific permissions for pod management
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
  namespace: rbac-demo
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["pods/logs"]
  verbs: ["get"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list"]

---
# RoleBinding connecting Role to ServiceAccount
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: dev-user-pod-reader
  namespace: rbac-demo
subjects:
- kind: ServiceAccount
  name: dev-user
  namespace: rbac-demo
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

---
# ClusterRole

Note: this example was truncated in the source. See the GitHub repo for the latest full version.

Common Pitfalls

• Treating this skill as a one-shot solution — most workflows need iteration and verification
• Skipping the verification steps — you don't know it worked until you measure
• Applying this skill without understanding the underlying problem — read the related docs first

When NOT to Use This Skill

• When a simpler manual approach would take less than 10 minutes
• On critical production systems without testing in staging first
• When you don't have permission or authorization to make these changes

How to Verify It Worked

• Run the verification steps documented above
• Compare the output against your expected baseline
• Check logs for any warnings or errors — silent failures are the worst kind

Production Considerations

• Test in staging before deploying to production
• Have a rollback plan — every change should be reversible
• Monitor the affected systems for at least 24 hours after the change