Using RBAC Authorization
Role-based access control (RBAC) is a method of regulating access to computer ornetwork resources based on the roles of individual users within your organization.
RBAC authorization uses therbac.authorization.k8s.ioAPI group to drive authorizationdecisions, allowing you to dynamically configure policies through the Kubernetes API.
To enable RBAC, start theAPI serverwith the--authorization-config flag set to a file that includes theRBAC authorizer; for example:
apiVersion:apiserver.config.k8s.io/v1kind:AuthorizationConfigurationauthorizers:...-type:RBAC...Or, start theAPI server withthe--authorization-mode flag set to a comma-separated list that includesRBAC;for example:
kube-apiserver --authorization-mode=...,RBAC --other-options --more-optionsAPI objects
The RBAC API declares four kinds of Kubernetes object:Role,ClusterRole,RoleBinding andClusterRoleBinding. You can describe or amend the RBACobjectsusing tools such askubectl, just like any other Kubernetes object.
Caution:
These objects, by design, impose access restrictions. If you are making changesto a cluster as you learn, seeprivilege escalation prevention and bootstrappingto understand how those restrictions can prevent you making some changes.Role and ClusterRole
An RBACRole orClusterRole contains rules that represent a set of permissions.Permissions are purely additive (there are no "deny" rules).
A Role always sets permissions within a particularnamespace;when you create a Role, you have to specify the namespace it belongs in.
ClusterRole, by contrast, is a non-namespaced resource. The resources have different names (Roleand ClusterRole) because a Kubernetes object always has to be either namespaced or not namespaced;it can't be both.
ClusterRoles have several uses. You can use a ClusterRole to:
- define permissions on namespaced resources and be granted access within individual namespace(s)
- define permissions on namespaced resources and be granted access across all namespaces
- define permissions on cluster-scoped resources
If you want to define a role within a namespace, use a Role; if you want to definea role cluster-wide, use a ClusterRole.
Role example
Here's an example Role in the "default" namespace that can be used to grant read access topods:
apiVersion:rbac.authorization.k8s.io/v1kind:Rolemetadata:namespace:defaultname:pod-readerrules:-apiGroups:[""]# "" indicates the core API groupresources:["pods"]verbs:["get","watch","list"]ClusterRole example
A ClusterRole can be used to grant the same permissions as a Role.Because ClusterRoles are cluster-scoped, you can also use them to grant access to:
cluster-scoped resources (likenodes)
non-resource endpoints (like
/healthz)namespaced resources (like Pods), across all namespaces
For example: you can use a ClusterRole to allow a particular user to run
kubectl get pods --all-namespaces
Here is an example of a ClusterRole that can be used to grant read access tosecrets in any particular namespace,or across all namespaces (depending on how it isbound):
apiVersion:rbac.authorization.k8s.io/v1kind:ClusterRolemetadata:# "namespace" omitted since ClusterRoles are not namespacedname:secret-readerrules:-apiGroups:[""]## at the HTTP level, the name of the resource for accessing Secret# objects is "secrets"resources:["secrets"]verbs:["get","watch","list"]The name of a Role or a ClusterRole object must be a validpath segment name.
RoleBinding and ClusterRoleBinding
A role binding grants the permissions defined in a role to a user or set of users.It holds a list ofsubjects (users, groups, or service accounts), and a reference to therole being granted.A RoleBinding grants permissions within a specific namespace whereas a ClusterRoleBindinggrants that access cluster-wide.
A RoleBinding may reference any Role in the same namespace. Alternatively, a RoleBindingcan reference a ClusterRole and bind that ClusterRole to the namespace of the RoleBinding.If you want to bind a ClusterRole to all the namespaces in your cluster, you use aClusterRoleBinding.
The name of a RoleBinding or ClusterRoleBinding object must be a validpath segment name.
RoleBinding examples
Here is an example of a RoleBinding that grants the "pod-reader" Role to the user "jane"within the "default" namespace.This allows "jane" to read pods in the "default" namespace.
apiVersion:rbac.authorization.k8s.io/v1# This role binding allows "jane" to read pods in the "default" namespace.# You need to already have a Role named "pod-reader" in that namespace.kind:RoleBindingmetadata:name:read-podsnamespace:defaultsubjects:# You can specify more than one "subject"-kind:Username:jane# "name" is case sensitiveapiGroup:rbac.authorization.k8s.ioroleRef:# "roleRef" specifies the binding to a Role / ClusterRolekind:Role#this must be Role or ClusterRolename:pod-reader# this must match the name of the Role or ClusterRole you wish to bind toapiGroup:rbac.authorization.k8s.ioA RoleBinding can also reference a ClusterRole to grant the permissions defined in thatClusterRole to resources inside the RoleBinding's namespace. This kind of referencelets you define a set of common roles across your cluster, then reuse them withinmultiple namespaces.
For instance, even though the following RoleBinding refers to a ClusterRole,"dave" (the subject, case sensitive) will only be able to read Secrets in the "development"namespace, because the RoleBinding's namespace (in its metadata) is "development".
apiVersion:rbac.authorization.k8s.io/v1# This role binding allows "dave" to read secrets in the "development" namespace.# You need to already have a ClusterRole named "secret-reader".kind:RoleBindingmetadata:name:read-secrets## The namespace of the RoleBinding determines where the permissions are granted.# This only grants permissions within the "development" namespace.namespace:developmentsubjects:-kind:Username:dave# Name is case sensitiveapiGroup:rbac.authorization.k8s.ioroleRef:kind:ClusterRolename:secret-readerapiGroup:rbac.authorization.k8s.ioClusterRoleBinding example
To grant permissions across a whole cluster, you can use a ClusterRoleBinding.The following ClusterRoleBinding allows any user in the group "manager" to readsecrets in any namespace.
apiVersion:rbac.authorization.k8s.io/v1# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.kind:ClusterRoleBindingmetadata:name:read-secrets-globalsubjects:-kind:Groupname:manager# Name is case sensitiveapiGroup:rbac.authorization.k8s.ioroleRef:kind:ClusterRolename:secret-readerapiGroup:rbac.authorization.k8s.ioAfter you create a binding, you cannot change the Role or ClusterRole that it refers to.If you try to change a binding'sroleRef, you get a validation error. If you do wantto change theroleRef for a binding, you need to remove the binding object and createa replacement.
There are two reasons for this restriction:
- Making
roleRefimmutable allows granting someoneupdatepermission on an existing bindingobject, so that they can manage the list of subjects, without being able to changethe role that is granted to those subjects. - A binding to a different role is a fundamentally different binding.Requiring a binding to be deleted/recreated in order to change the
roleRefensures the full list of subjects in the binding is intended to be grantedthe new role (as opposed to enabling or accidentally modifying only the roleRefwithout verifying all of the existing subjects should be given the new role'spermissions).
Thekubectl auth reconcile command-line utility creates or updates a manifest file containing RBAC objects,and handles deleting and recreating binding objects if required to change the role they refer to.Seecommand usage and examples for more information.
Referring to resources
In the Kubernetes API, most resources are represented and accessed using a string representation oftheir object name, such aspods for a Pod. RBAC refers to resources using exactly the samename that appears in the URL for the relevant API endpoint.Some Kubernetes APIs involve asubresource, such as the logs for a Pod. A request for a Pod's logs looks like:
GET /api/v1/namespaces/{namespace}/pods/{name}/logIn this case,pods is the namespaced resource for Pod resources, andlog is asubresource ofpods. To represent this in an RBAC role, use a slash (/) todelimit the resource and subresource. To allow a subject to readpods andalso access thelog subresource for each of those Pods, you write:
apiVersion:rbac.authorization.k8s.io/v1kind:Rolemetadata:namespace:defaultname:pod-and-pod-logs-readerrules:-apiGroups:[""]resources:["pods","pods/log"]verbs:["get","list"]You can also refer to resources by name for certain requests through theresourceNames list.When specified, requests can be restricted to individual instances of a resource.Here is an example that restricts its subject to onlyget orupdate aConfigMap namedmy-configmap:
apiVersion:rbac.authorization.k8s.io/v1kind:Rolemetadata:namespace:defaultname:configmap-updaterrules:-apiGroups:[""]## at the HTTP level, the name of the resource for accessing ConfigMap# objects is "configmaps"resources:["configmaps"]resourceNames:["my-configmap"]verbs:["update","get"]Note:
You cannot restrictcreate ordeletecollection requests by their resource name.Forcreate, this limitation is because the name of the new object may not be known at authorization time.If you restrictlist orwatch by resourceName, clients must include ametadata.name field selector in theirlist orwatch request that matches the specified resourceName in order to be authorized.For example,kubectl get configmaps --field-selector=metadata.name=my-configmapRather than referring to individualresources,apiGroups, andverbs,you can use the wildcard* symbol to refer to all such objects.FornonResourceURLs, you can use the wildcard* as a suffix glob match.ForresourceNames, an empty set means that everything is allowed.Here is an example that allows access to perform any current and future action onall current and future resources in theexample.com API group.This is similar to the built-incluster-admin role.
apiVersion:rbac.authorization.k8s.io/v1kind:Rolemetadata:namespace:defaultname:example.com-superuser# DO NOT USE THIS ROLE, IT IS JUST AN EXAMPLErules:-apiGroups:["example.com"]resources:["*"]verbs:["*"]Caution:
Using wildcards in resource and verb entries could result in overly permissive access being grantedto sensitive resources.For instance, if a new resource type is added, or a new subresource is added,or a new custom verb is checked, the wildcard entry automatically grants access, which may be undesirable.Theprinciple of least privilegeshould be employed, using specific resources and verbs to ensure only the permissions required for theworkload to function correctly are applied.Aggregated ClusterRoles
You canaggregate several ClusterRoles into one combined ClusterRole.A controller, running as part of the cluster control plane, watches for ClusterRoleobjects with anaggregationRule set. TheaggregationRule defines a labelselector that the controlleruses to match other ClusterRole objects that should be combined into therulesfield of this one.
Caution:
The control plane overwrites any values that you manually specify in therules field of anaggregate ClusterRole. If you want to change or add rules, do so in theClusterRole objectsthat are selected by theaggregationRule.Here is an example aggregated ClusterRole:
apiVersion:rbac.authorization.k8s.io/v1kind:ClusterRolemetadata:name:monitoringaggregationRule:clusterRoleSelectors:-matchLabels:rbac.example.com/aggregate-to-monitoring:"true"rules:[]# The control plane automatically fills in the rulesIf you create a new ClusterRole that matches the label selector of an existing aggregated ClusterRole,that change triggers adding the new rules into the aggregated ClusterRole.Here is an example that adds rules to the "monitoring" ClusterRole, by creating anotherClusterRole labeledrbac.example.com/aggregate-to-monitoring: true.
apiVersion:rbac.authorization.k8s.io/v1kind:ClusterRolemetadata:name:monitoring-endpointslabels:rbac.example.com/aggregate-to-monitoring:"true"# When you create the "monitoring-endpoints" ClusterRole,# the rules below will be added to the "monitoring" ClusterRole.rules:-apiGroups:[""]resources:["services","endpointslices","pods"]verbs:["get","list","watch"]Thedefault user-facing roles use ClusterRole aggregation. This lets you,as a cluster administrator, include rules for custom resources, such as those served byCustomResourceDefinitionsor aggregated API servers, to extend the default roles.
For example: the following ClusterRoles let the "admin" and "edit" default roles manage the custom resourcenamed CronTab, whereas the "view" role can perform only read actions on CronTab resources.You can assume that CronTab objects are named"crontabs" in URLs as seen by the API server.
apiVersion:rbac.authorization.k8s.io/v1kind:ClusterRolemetadata:name:aggregate-cron-tabs-editlabels:# Add these permissions to the "admin" and "edit" default roles.rbac.authorization.k8s.io/aggregate-to-admin:"true"rbac.authorization.k8s.io/aggregate-to-edit:"true"rules:-apiGroups:["stable.example.com"]resources:["crontabs"]verbs:["get","list","watch","create","update","patch","delete"]---kind:ClusterRoleapiVersion:rbac.authorization.k8s.io/v1metadata:name:aggregate-cron-tabs-viewlabels:# Add these permissions to the "view" default role.rbac.authorization.k8s.io/aggregate-to-view:"true"rules:-apiGroups:["stable.example.com"]resources:["crontabs"]verbs:["get","list","watch"]Role examples
The following examples are excerpts from Role or ClusterRole objects, showing onlytherules section.
Allow reading"pods" resources in the coreAPI Group:
rules:-apiGroups:[""]## at the HTTP level, the name of the resource for accessing Pod# objects is "pods"resources:["pods"]verbs:["get","list","watch"]Allow reading/writing Deployments (at the HTTP level: objects with"deployments"in the resource part of their URL) in the"apps" API groups:
rules:-apiGroups:["apps"]## at the HTTP level, the name of the resource for accessing Deployment# objects is "deployments"resources:["deployments"]verbs:["get","list","watch","create","update","patch","delete"]Allow reading Pods in the core API group, as well as reading or writing Jobresources in the"batch" API group:
rules:-apiGroups:[""]## at the HTTP level, the name of the resource for accessing Pod# objects is "pods"resources:["pods"]verbs:["get","list","watch"]-apiGroups:["batch"]## at the HTTP level, the name of the resource for accessing Job# objects is "jobs"resources:["jobs"]verbs:["get","list","watch","create","update","patch","delete"]Allow reading a ConfigMap named "my-config" (must be bound with aRoleBinding to limit to a single ConfigMap in a single namespace):
rules:-apiGroups:[""]## at the HTTP level, the name of the resource for accessing ConfigMap# objects is "configmaps"resources:["configmaps"]resourceNames:["my-config"]verbs:["get"]Allow reading the resource"nodes" in the core group (because aNode is cluster-scoped, this must be in a ClusterRole bound with aClusterRoleBinding to be effective):
rules:-apiGroups:[""]## at the HTTP level, the name of the resource for accessing Node# objects is "nodes"resources:["nodes"]verbs:["get","list","watch"]Allow GET and POST requests to the non-resource endpoint/healthz andall subpaths (must be in a ClusterRole bound with a ClusterRoleBindingto be effective):
rules:-nonResourceURLs:["/healthz","/healthz/*"]# '*' in a nonResourceURL is a suffix glob matchverbs:["get","post"]Referring to subjects
A RoleBinding or ClusterRoleBinding binds a role to subjects.Subjects can be groups, users orServiceAccounts.
Kubernetes represents usernames as strings.These can be: plain names, such as "alice"; email-style names, like "bob@example.com";or numeric user IDs represented as a string. It is up to you as a cluster administratorto configure theauthentication modulesso that authentication produces usernames in the format you want.
Caution:
The prefixsystem: is reserved for Kubernetes system use, so you should ensurethat you don't have users or groups with names that start withsystem: byaccident.Other than this special prefix, the RBAC authorization system does not require any formatfor usernames.In Kubernetes, Authenticator modules provide group information.Groups, like users, are represented as strings, and that string has no format requirements,other than that the prefixsystem: is reserved.
ServiceAccounts have names prefixedwithsystem:serviceaccount:, and belong to groups that have names prefixed withsystem:serviceaccounts:.
Note:
system:serviceaccount:(singular) is the prefix for service account usernames.system:serviceaccounts:(plural) is the prefix for service account groups.
RoleBinding examples
The following examples areRoleBinding excerpts that onlyshow thesubjects section.
For a user namedalice@example.com:
subjects:-kind:Username:"alice@example.com"apiGroup:rbac.authorization.k8s.ioFor a group namedfrontend-admins:
subjects:-kind:Groupname:"frontend-admins"apiGroup:rbac.authorization.k8s.ioFor the default service account in the "kube-system" namespace:
subjects:-kind:ServiceAccountname:defaultnamespace:kube-systemFor all service accounts in the "qa" namespace:
subjects:-kind:Groupname:system:serviceaccounts:qaapiGroup:rbac.authorization.k8s.ioFor all service accounts in any namespace:
subjects:-kind:Groupname:system:serviceaccountsapiGroup:rbac.authorization.k8s.ioFor all authenticated users:
subjects:-kind:Groupname:system:authenticatedapiGroup:rbac.authorization.k8s.ioFor all unauthenticated users:
subjects:-kind:Groupname:system:unauthenticatedapiGroup:rbac.authorization.k8s.ioFor all users:
subjects:-kind:Groupname:system:authenticatedapiGroup:rbac.authorization.k8s.io-kind:Groupname:system:unauthenticatedapiGroup:rbac.authorization.k8s.ioDefault roles and role bindings
API servers create a set of default ClusterRole and ClusterRoleBinding objects.Many of these aresystem: prefixed, which indicates that the resource is directlymanaged by the cluster control plane.All of the default ClusterRoles and ClusterRoleBindings are labeled withkubernetes.io/bootstrapping=rbac-defaults.
Caution:
Take care when modifying ClusterRoles and ClusterRoleBindings with namesthat have asystem: prefix.Modifications to these resources can result in non-functional clusters.Auto-reconciliation
At each start-up, the API server updates default cluster roles with any missing permissions,and updates default cluster role bindings with any missing subjects.This allows the cluster to repair accidental modifications, and helps to keep roles and role bindingsup-to-date as permissions and subjects change in new Kubernetes releases.
To opt out of this reconciliation, set therbac.authorization.kubernetes.io/autoupdateannotation on a default cluster role or default cluster RoleBinding tofalse.Be aware that missing default permissions and subjects can result in non-functional clusters.
Auto-reconciliation is enabled by default if the RBAC authorizer is active.
API discovery roles
Default cluster role bindings authorize unauthenticated and authenticated users to read API informationthat is deemed safe to be publicly accessible (including CustomResourceDefinitions).To disable anonymous unauthenticated access, add--anonymous-auth=false flag tothe API server configuration.
To view the configuration of these roles viakubectl run:
kubectl get clusterroles system:discovery -o yamlNote:
If you edit that ClusterRole, your changes will be overwritten on API server restartviaauto-reconciliation. To avoid that overwriting,either do not manually edit the role, or disable auto-reconciliation.| Default ClusterRole | Default ClusterRoleBinding | Description |
|---|---|---|
| system:basic-user | system:authenticated group | Allows a user read-only access to basic information about themselves. Prior to v1.14, this role was also bound tosystem:unauthenticated by default. |
| system:discovery | system:authenticated group | Allows read-only access to API discovery endpoints needed to discover and negotiate an API level. Prior to v1.14, this role was also bound tosystem:unauthenticated by default. |
| system:public-info-viewer | system:authenticated andsystem:unauthenticated groups | Allows read-only access to non-sensitive information about the cluster. Introduced in Kubernetes v1.14. |
User-facing roles
Some of the default ClusterRoles are notsystem: prefixed. These are intended to be user-facing roles.They include super-user roles (cluster-admin), roles intended to be granted cluster-wideusing ClusterRoleBindings, and roles intended to be granted within particularnamespaces using RoleBindings (admin,edit,view).
User-facing ClusterRoles useClusterRole aggregation to allow admins to includerules for custom resources on these ClusterRoles. To add rules to theadmin,edit, orview roles, createa ClusterRole with one or more of the following labels:
metadata:labels:rbac.authorization.k8s.io/aggregate-to-admin:"true"rbac.authorization.k8s.io/aggregate-to-edit:"true"rbac.authorization.k8s.io/aggregate-to-view:"true"| Default ClusterRole | Default ClusterRoleBinding | Description |
|---|---|---|
| cluster-admin | system:masters group | Allows super-user access to perform any action on any resource.When used in aClusterRoleBinding, it gives full control over every resource in the cluster and in all namespaces.When used in aRoleBinding, it gives full control over every resource in the role binding's namespace, including the namespace itself. |
| admin | None | Allows admin access, intended to be granted within a namespace using aRoleBinding. If used in aRoleBinding, allows read/write access to most resources in a namespace,including the ability to create roles and role bindings within the namespace.This role does not allow write access to resource quota or to the namespace itself.This role also does not allow write access to EndpointSlices in clusters createdusing Kubernetes v1.22+. More information is available in the"Write Access for EndpointSlices" section. |
| edit | None | Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings.However, this role allows accessing Secrets and running Pods as any ServiceAccount inthe namespace, so it can be used to gain the API access levels of any ServiceAccount inthe namespace. This role also does not allow write access to EndpointSlices inclusters created using Kubernetes v1.22+. More information is available in the"Write Access for EndpointSlices" section. |
| view | None | Allows read-only access to see most objects in a namespace.It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since readingthe contents of Secrets enables access to ServiceAccount credentialsin the namespace, which would allow API access as any ServiceAccountin the namespace (a form of privilege escalation). |
Core component roles
| Default ClusterRole | Default ClusterRoleBinding | Description |
|---|---|---|
| system:kube-scheduler | system:kube-scheduler user | Allows access to the resources required by thescheduler component. |
| system:volume-scheduler | system:kube-scheduler user | Allows access to the volume resources required by the kube-scheduler component. |
| system:kube-controller-manager | system:kube-controller-manager user | Allows access to the resources required by thecontroller manager component.The permissions required by individual controllers are detailed in thecontroller roles. |
| system:node | None | Allows access to resources required by the kubelet,including read access to all secrets, and write access to all pod status objects. You should use theNode authorizer andNodeRestriction admission plugin instead of thesystem:node role, and allow granting API access to kubelets based on the Pods scheduled to run on them. Thesystem:node role only exists for compatibility with Kubernetes clusters upgraded from versions prior to v1.8. |
| system:node-proxier | system:kube-proxy user | Allows access to the resources required by thekube-proxy component. |
Other component roles
| Default ClusterRole | Default ClusterRoleBinding | Description |
|---|---|---|
| system:auth-delegator | None | Allows delegated authentication and authorization checks.This is commonly used by add-on API servers for unified authentication and authorization. |
| system:heapster | None | Role for theHeapster component (deprecated). |
| system:kube-aggregator | None | Role for thekube-aggregator component. |
| system:kube-dns | kube-dns service account in thekube-system namespace | Role for thekube-dns component. |
| system:kubelet-api-admin | None | Allows full access to the kubelet API. |
| system:node-bootstrapper | None | Allows access to the resources required to performkubelet TLS bootstrapping. |
| system:node-problem-detector | None | Role for thenode-problem-detector component. |
| system:persistent-volume-provisioner | None | Allows access to the resources required by mostdynamic volume provisioners. |
| system:monitoring | system:monitoring group | Allows read access to control-plane monitoring endpoints (i.e.kube-apiserver liveness and readiness endpoints (/healthz,/livez,/readyz), the individual health-check endpoints (/healthz/*,/livez/*,/readyz/*),/metrics), and causes the kube-apiserver to respect the traceparent header provided with requests for tracing. Note that individual health check endpoints and the metric endpoint may expose sensitive information. |
Roles for built-in controllers
The Kubernetescontroller manager runscontrollers that are built in to the Kubernetescontrol plane.When invoked with--use-service-account-credentials, kube-controller-manager starts each controllerusing a separate service account.Corresponding roles exist for each built-in controller, prefixed withsystem:controller:.If the controller manager is not started with--use-service-account-credentials, it runs all control loopsusing its own credential, which must be granted all the relevant roles.These roles include:
system:controller:attachdetach-controllersystem:controller:certificate-controllersystem:controller:clusterrole-aggregation-controllersystem:controller:cronjob-controllersystem:controller:daemon-set-controllersystem:controller:deployment-controllersystem:controller:disruption-controllersystem:controller:endpoint-controllersystem:controller:expand-controllersystem:controller:generic-garbage-collectorsystem:controller:horizontal-pod-autoscalersystem:controller:job-controllersystem:controller:namespace-controllersystem:controller:node-controllersystem:controller:persistent-volume-bindersystem:controller:pod-garbage-collectorsystem:controller:pv-protection-controllersystem:controller:pvc-protection-controllersystem:controller:replicaset-controllersystem:controller:replication-controllersystem:controller:resourcequota-controllersystem:controller:root-ca-cert-publishersystem:controller:route-controllersystem:controller:service-account-controllersystem:controller:service-controllersystem:controller:statefulset-controllersystem:controller:ttl-controller
Privilege escalation prevention and bootstrapping
The RBAC API prevents users from escalating privileges by editing roles or role bindings.Because this is enforced at the API level, it applies even when the RBAC authorizer is not in use.
Restrictions on role creation or update
You can only create/update a role if at least one of the following things is true:
- You already have all the permissions contained in the role, at the same scope as the object being modified(cluster-wide for a ClusterRole, within the same namespace or cluster-wide for a Role).
- You are granted explicit permission to perform the
escalateverb on therolesorclusterrolesresource in therbac.authorization.k8s.ioAPI group.
For example, ifuser-1 does not have the ability to list Secrets cluster-wide, they cannot create a ClusterRolecontaining that permission. To allow a user to create/update roles:
- Grant them a role that allows them to create/update Role or ClusterRole objects, as desired.
- Grant them permission to include specific permissions in the roles they create/update:
- implicitly, by giving them those permissions (if they attempt to create or modify a Role orClusterRole with permissions they themselves have not been granted, the API request will be forbidden)
- or explicitly allow specifying any permission in a
RoleorClusterRoleby giving thempermission to perform theescalateverb onrolesorclusterrolesresources in therbac.authorization.k8s.ioAPI group
Restrictions on role binding creation or update
You can only create/update a role binding if you already have all the permissions contained in the referenced role(at the same scope as the role binding)or if you have been authorized to perform thebind verb on the referenced role.For example, ifuser-1 does not have the ability to list Secrets cluster-wide, they cannot create a ClusterRoleBindingto a role that grants that permission. To allow a user to create/update role bindings:
- Grant them a role that allows them to create/update RoleBinding or ClusterRoleBinding objects, as desired.
- Grant them permissions needed to bind a particular role:
- implicitly, by giving them the permissions contained in the role.
- explicitly, by giving them permission to perform the
bindverb on the particular Role (or ClusterRole).
For example, this ClusterRole and RoleBinding would allowuser-1 to grant other users theadmin,edit, andview roles in the namespaceuser-1-namespace:
apiVersion:rbac.authorization.k8s.io/v1kind:ClusterRolemetadata:name:role-grantorrules:-apiGroups:["rbac.authorization.k8s.io"]resources:["rolebindings"]verbs:["create"]-apiGroups:["rbac.authorization.k8s.io"]resources:["clusterroles"]verbs:["bind"]# omit resourceNames to allow binding any ClusterRoleresourceNames:["admin","edit","view"]---apiVersion:rbac.authorization.k8s.io/v1kind:RoleBindingmetadata:name:role-grantor-bindingnamespace:user-1-namespaceroleRef:apiGroup:rbac.authorization.k8s.iokind:ClusterRolename:role-grantorsubjects:-apiGroup:rbac.authorization.k8s.iokind:Username:user-1When bootstrapping the first roles and role bindings, it is necessary for the initial user to grant permissions they do not yet have.To bootstrap initial roles and role bindings:
- Use a credential with the "system:masters" group, which is bound to the "cluster-admin" super-user role by the default bindings.
Command-line utilities
kubectl create role
Creates a Role object defining permissions within a single namespace. Examples:
Create a Role named "pod-reader" that allows users to perform
get,watchandliston pods:kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=podsCreate a Role named "pod-reader" with resourceNames specified:
kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpodCreate a Role named "foo" with apiGroups specified:
kubectl create role foo --verb=get,list,watch --resource=replicasets.appsCreate a Role named "foo" with subresource permissions:
kubectl create role foo --verb=get,list,watch --resource=pods,pods/statusCreate a Role named "my-component-lease-holder" with permissions to get/update a resource with a specific name:
kubectl create role my-component-lease-holder --verb=get,list,watch,update --resource=lease --resource-name=my-component
kubectl create clusterrole
Creates a ClusterRole. Examples:
Create a ClusterRole named "pod-reader" that allows user to perform
get,watchandliston pods:kubectl create clusterrole pod-reader --verb=get,list,watch --resource=podsCreate a ClusterRole named "pod-reader" with resourceNames specified:
kubectl create clusterrole pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpodCreate a ClusterRole named "foo" with apiGroups specified:
kubectl create clusterrole foo --verb=get,list,watch --resource=replicasets.appsCreate a ClusterRole named "foo" with subresource permissions:
kubectl create clusterrole foo --verb=get,list,watch --resource=pods,pods/statusCreate a ClusterRole named "foo" with nonResourceURL specified:
kubectl create clusterrole"foo" --verb=get --non-resource-url=/logs/*Create a ClusterRole named "monitoring" with an aggregationRule specified:
kubectl create clusterrole monitoring --aggregation-rule="rbac.example.com/aggregate-to-monitoring=true"
kubectl create rolebinding
Grants a Role or ClusterRole within a specific namespace. Examples:
Within the namespace "acme", grant the permissions in the "admin" ClusterRole to a user named "bob":
kubectl create rolebinding bob-admin-binding --clusterrole=admin --user=bob --namespace=acmeWithin the namespace "acme", grant the permissions in the "view" ClusterRole to the service account in the namespace "acme" named "myapp":
kubectl create rolebinding myapp-view-binding --clusterrole=view --serviceaccount=acme:myapp --namespace=acmeWithin the namespace "acme", grant the permissions in the "view" ClusterRole to a service account in the namespace "myappnamespace" named "myapp":
kubectl create rolebinding myappnamespace-myapp-view-binding --clusterrole=view --serviceaccount=myappnamespace:myapp --namespace=acme
kubectl create clusterrolebinding
Grants a ClusterRole across the entire cluster (all namespaces). Examples:
Across the entire cluster, grant the permissions in the "cluster-admin" ClusterRole to a user named "root":
kubectl create clusterrolebinding root-cluster-admin-binding --clusterrole=cluster-admin --user=rootAcross the entire cluster, grant the permissions in the "system:node-proxier" ClusterRole to a user named "system:kube-proxy":
kubectl create clusterrolebinding kube-proxy-binding --clusterrole=system:node-proxier --user=system:kube-proxyAcross the entire cluster, grant the permissions in the "view" ClusterRole to a service account named "myapp" in the namespace "acme":
kubectl create clusterrolebinding myapp-view-binding --clusterrole=view --serviceaccount=acme:myapp
kubectl auth reconcile
Creates or updatesrbac.authorization.k8s.io/v1 API objects from a manifest file.
Missing objects are created, and the containing namespace is created for namespaced objects, if required.
Existing roles are updated to include the permissions in the input objects,and remove extra permissions if--remove-extra-permissions is specified.
Existing bindings are updated to include the subjects in the input objects,and remove extra subjects if--remove-extra-subjects is specified.
Examples:
Test applying a manifest file of RBAC objects, displaying changes that would be made:
kubectl auth reconcile -f my-rbac-rules.yaml --dry-run=clientApply a manifest file of RBAC objects, preserving any extra permissions (in roles) and any extra subjects (in bindings):
kubectl auth reconcile -f my-rbac-rules.yamlApply a manifest file of RBAC objects, removing any extra permissions (in roles) and any extra subjects (in bindings):
kubectl auth reconcile -f my-rbac-rules.yaml --remove-extra-subjects --remove-extra-permissions
ServiceAccount permissions
Default RBAC policies grant scoped permissions to control-plane components, nodes,and controllers, but grantno permissions to service accounts outside thekube-system namespace(beyond the permissions given byAPI discovery roles).
This allows you to grant particular roles to particular ServiceAccounts as needed.Fine-grained role bindings provide greater security, but require more effort to administrate.Broader grants can give unnecessary (and potentially escalating) API access toServiceAccounts, but are easier to administrate.
In order from most secure to least secure, the approaches are:
Grant a role to an application-specific service account (best practice)
This requires the application to specify a
serviceAccountNamein its pod spec,and for the service account to be created (via the API, application manifest,kubectl create serviceaccount, etc.).For example, grant read-only permission within "my-namespace" to the "my-sa" service account:
kubectl create rolebinding my-sa-view\ --clusterrole=view\ --serviceaccount=my-namespace:my-sa\ --namespace=my-namespaceGrant a role to the "default" service account in a namespace
If an application does not specify a
serviceAccountName, it uses the "default" service account.Note:
Permissions given to the "default" service account are available to any podin the namespace that does not specify aserviceAccountName.For example, grant read-only permission within "my-namespace" to the "default" service account:
kubectl create rolebinding default-view\ --clusterrole=view\ --serviceaccount=my-namespace:default\ --namespace=my-namespaceManyadd-ons run as the"default" service account in the
kube-systemnamespace.To allow those add-ons to run with super-user access, grant cluster-adminpermissions to the "default" service account in thekube-systemnamespace.Caution:
Enabling this means thekube-systemnamespace contains Secretsthat grant super-user access to your cluster's API.kubectl create clusterrolebinding add-on-cluster-admin\ --clusterrole=cluster-admin\ --serviceaccount=kube-system:defaultGrant a role to all service accounts in a namespace
If you want all applications in a namespace to have a role, no matter what service account they use,you can grant a role to the service account group for that namespace.
For example, grant read-only permission within "my-namespace" to all service accounts in that namespace:
kubectl create rolebinding serviceaccounts-view\ --clusterrole=view\ --group=system:serviceaccounts:my-namespace\ --namespace=my-namespaceGrant a limited role to all service accounts cluster-wide (discouraged)
If you don't want to manage permissions per-namespace, you can grant a cluster-wide role to all service accounts.
For example, grant read-only permission across all namespaces to all service accounts in the cluster:
kubectl create clusterrolebinding serviceaccounts-view\ --clusterrole=view\ --group=system:serviceaccountsGrant super-user access to all service accounts cluster-wide (strongly discouraged)
If you don't care about partitioning permissions at all, you can grant super-user access to all service accounts.
Warning:
This allows any application full access to your cluster, and also grantsany user with read access to Secrets (or the ability to create any pod)full access to your cluster.kubectl create clusterrolebinding serviceaccounts-cluster-admin\ --clusterrole=cluster-admin\ --group=system:serviceaccounts
Write access for EndpointSlices
Kubernetes clusters created before Kubernetes v1.22 include write access toEndpointSlices (and the now-deprecated Endpoints API) in the aggregated "edit" and "admin" roles.As a mitigation forCVE-2021-25740,this access is not part of the aggregated roles in clusters that you create usingKubernetes v1.22 or later.
Existing clusters that have been upgraded to Kubernetes v1.22 will not besubject to this change. TheCVEannouncement includesguidance for restricting this access in existing clusters.
If you want new clusters to retain this level of access in the aggregated roles,you can create the following ClusterRole:
apiVersion:rbac.authorization.k8s.io/v1kind:ClusterRolemetadata:annotations:kubernetes.io/description:|- Add endpoints write permissions to the edit and admin roles. This was removed by default in 1.22 because of CVE-2021-25740. See https://issue.k8s.io/103675. This can allow writers to direct LoadBalancer or Ingress implementations to expose backend IPs that would not otherwise be accessible, and can circumvent network policies or security controls intended to prevent/isolate access to those backends. EndpointSlices were never included in the edit or admin roles, so there is nothing to restore for the EndpointSlice API.labels:rbac.authorization.k8s.io/aggregate-to-edit:"true"name:custom:aggregate-to-edit:endpoints# you can change this if you wishrules:-apiGroups:[""]resources:["endpoints"]verbs:["create","delete","deletecollection","patch","update"]Upgrading from ABAC
Clusters that originally ran older Kubernetes versions often usedpermissive ABAC policies, including granting full API access to allservice accounts.
Default RBAC policies grant scoped permissions to control-plane components, nodes,and controllers, but grantno permissions to service accounts outside thekube-system namespace(beyond the permissions given byAPI discovery roles).
While far more secure, this can be disruptive to existing workloads expecting to automatically receive API permissions.Here are two approaches for managing this transition:
Parallel authorizers
Run both the RBAC and ABAC authorizers, and specify a policy file that containsthelegacy ABAC policy:
--authorization-mode=...,RBAC,ABAC --authorization-policy-file=mypolicy.jsonTo explain that first command line option in detail: if earlier authorizers, such as Node,deny a request, then the RBAC authorizer attempts to authorize the API request. If RBACalso denies that API request, the ABAC authorizer is then run. This means that any requestallowed byeither the RBAC or ABAC policies is allowed.
When the kube-apiserver is run with a log level of 5 or higher for the RBAC component(--vmodule=rbac*=5 or--v=5), you can see RBAC denials in the API server log(prefixed withRBAC).You can use that information to determine which roles need to be granted to which users, groups, or service accounts.
Once you havegranted roles to service accounts and workloadsare running with no RBAC denial messages in the server logs, you can remove the ABAC authorizer.
Permissive RBAC permissions
You can replicate a permissive ABAC policy using RBAC role bindings.
Warning:
The following policy allowsALL service accounts to act as cluster administrators.Any application running in a container receives service account credentials automatically,and could perform any action against the API, including viewing secrets and modifying permissions.This is not a recommended policy.
kubectl create clusterrolebinding permissive-binding\ --clusterrole=cluster-admin\ --user=admin\ --user=kubelet\ --group=system:serviceaccountsAfter you have transitioned to use RBAC, you should adjust the access controlsfor your cluster to ensure that these meet your information security needs.