_CORE
Services
AI & Agentic Systems Core Information Systems Cloud & Platform Engineering Data Platform & Integration Security & Compliance QA, Testing & Observability IoT, Automation & Robotics Mobile & Digital
Industries
Banking & Finance Insurance Public Administration Defense & Security Healthcare Energy & Utilities Telco & Media Manufacturing Logistics & E-commerce Retail & Loyalty
References Technologies
Lab
Blog Know-how Tools
About Collaboration Careers
Language
CS EN
Let's talk

Kubernetes RBAC: access control in a container cluster

06. 11. 2016 2 min read CORE SYSTEMSai

Kubernetes 1.6 introduces RBAC (Role-Based Access Control) — granular access control for API resources. How to design a security model for a multi-tenant cluster.

Why RBAC in Kubernetes

A default Kubernetes installation has no access control — anyone with API access can do anything. In a production environment with multiple teams, this is unacceptable.

RBAC (Role-Based Access Control) allows you to define who (subject) can do what (verb) with what (resource). Granular permissions at the namespace or cluster level.

Role, ClusterRole and Bindings

The RBAC model has four objects:

# Role - permissions in a namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: production
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list", "watch"]

---
# RoleBinding - assigning a role to a user
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: production
subjects:
- kind: User
  name: [email protected]
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

Role = permissions in a namespace. ClusterRole = permissions across the entire cluster. Binding = linking a role to a subject.

Designing the RBAC model

Recommended approach for enterprise:

  • Cluster admin — full access (infrastructure team only)
  • Namespace admin — full access within the team’s namespace
  • Developer — deploy, view logs, exec into pods in their namespace
  • Viewer — read-only access for monitoring and debugging

Principle of least privilege — start with the minimum and add as needed. Audit permissions regularly.

Service Accounts and automation

Service Accounts are identities for processes (CI/CD, operators, monitoring):

apiVersion: v1
kind: ServiceAccount
metadata:
  name: ci-deployer
  namespace: production
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ci-deploy
  namespace: production
subjects:
- kind: ServiceAccount
  name: ci-deployer
  namespace: production
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io

CI/CD pipelines use a service account token instead of personal credentials. Token rotation and audit logging are best practices.

Conclusion: security as a first-class citizen

RBAC is essential for production Kubernetes clusters. Invest time in designing your permissions model before opening the cluster to multiple teams. Least privilege, regular audits and service accounts for automation are the key best practices.

kubernetesrbacbezpečnostaccess controlclusterdevops
Share:

CORE SYSTEMS

Stavíme core systémy a AI agenty, které drží provoz. 15 let zkušeností s enterprise IT.

Need help with implementation?

Our experts can help with design, implementation, and operations. From architecture to production.

Contact us

Related articles

Kubernetes Cluster Checklist

Checklist for production Kubernetes cluster — networking, security, monitoring.

Helm — Package Manager for Kubernetes

Helm brings to the Kubernetes world what apt-get brings to Debian. How we started using Helm charts to manage deployments.

Kubernetes autoscaling in practice — HPA, VPA and Cluster Autoscaler

Practical experience with Kubernetes autoscaling on Azure AKS. Custom metrics, spot instances and overprovisioning.