Implementing Basic RBAC Policies

2 min read Infrastructure & DevOps Security

Implementing Basic RBAC Policies

Effective RBAC implementation begins with understanding organizational roles and mapping them to Kubernetes permissions. Development teams typically need namespace-scoped permissions to deploy applications. Operations teams require broader permissions for cluster maintenance. Security teams need audit and policy management capabilities. These organizational roles guide RBAC design.

Creating namespace-scoped developer access demonstrates basic RBAC patterns. Developers need permissions to manage applications within their namespaces without affecting other teams. This includes creating and managing pods, services, and configurations while preventing access to sensitive resources like secrets or cluster-wide resources.

# Developer role with application deployment permissions
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: developer
  namespace: team-alpha
rules:
# Pod management
- apiGroups: [""]
  resources: ["pods", "pods/log", "pods/exec", "pods/portforward"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  
# Service and endpoint management
- apiGroups: [""]
  resources: ["services", "endpoints"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  
# ConfigMap management
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  
# Secret read-only access
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "watch"]
  
# Deployment management
- apiGroups: ["apps"]
  resources: ["deployments", "replicasets", "statefulsets"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  
# Ingress management
- apiGroups: ["networking.k8s.io"]
  resources: ["ingresses"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  
# Event access for troubleshooting
- apiGroups: [""]
  resources: ["events"]
  verbs: ["get", "list", "watch"]

---
# Bind developer role to team members
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: developer-binding
  namespace: team-alpha
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: developer
subjects:
# Individual users
- kind: User
  name: [email protected]
  apiGroup: rbac.authorization.k8s.io
- kind: User
  name: [email protected]
  apiGroup: rbac.authorization.k8s.io
# Groups from identity provider
- kind: Group
  name: team-alpha-developers
  apiGroup: rbac.authorization.k8s.io

Service account RBAC requires special attention as it controls pod permissions within the cluster. Default service accounts often have excessive permissions, creating security risks. Creating dedicated service accounts with minimal permissions for each application improves security. This prevents compromised applications from affecting other cluster resources.