Docs / Kubernetes & Orchestration / How to Configure Kubernetes RBAC

How to Configure Kubernetes RBAC

By Admin · Mar 2, 2026 · Updated Apr 23, 2026 · 28 views · 2 min read

How to Configure Kubernetes RBAC

Role-Based Access Control (RBAC) in Kubernetes lets you define fine-grained permissions for users, service accounts, and groups. Properly configured RBAC is essential for securing your Breeze-hosted clusters, especially in multi-tenant environments.

Understanding RBAC Resources

Kubernetes RBAC revolves around four core objects:

  • Role — grants permissions within a specific namespace
  • ClusterRole — grants permissions cluster-wide or across all namespaces
  • RoleBinding — binds a Role to subjects (users, groups, service accounts) within a namespace
  • ClusterRoleBinding — binds a ClusterRole to subjects across the entire cluster

Creating a Namespace-Scoped Role

This Role allows reading pods and viewing logs in the staging namespace:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: staging
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list", "watch"]

Binding the Role to a User

Create a RoleBinding to grant the pod-reader role to a user named dev-jane:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pod-reader-binding
  namespace: staging
subjects:
- kind: User
  name: dev-jane
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

Creating a ClusterRole for Deployments

A ClusterRole can be reused across namespaces via RoleBindings:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: deployment-manager
rules:
- apiGroups: ["apps"]
  resources: ["deployments", "replicasets"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "list", "create", "update"]

Testing RBAC Permissions

Use kubectl auth can-i to verify what a user can do:

# Check if dev-jane can list pods in staging
kubectl auth can-i list pods --namespace=staging --as=dev-jane

# Check if dev-jane can delete deployments cluster-wide
kubectl auth can-i delete deployments --all-namespaces --as=dev-jane

Best Practices for Breeze Clusters

  • Follow the principle of least privilege — only grant the verbs and resources actually needed
  • Prefer namespace-scoped Roles over ClusterRoles when possible
  • Audit RBAC policies regularly with kubectl get clusterrolebindings -o wide
  • Use groups instead of individual users for easier management
  • Avoid granting cluster-admin except to operators who genuinely need it

Was this article helpful?

Related Articles