Understanding Kubernetes RBAC Architecture

1 min read Infrastructure & DevOps Security

Understanding Kubernetes RBAC Architecture

Kubernetes RBAC operates on four key primitives: Roles, RoleBindings, ClusterRoles, and ClusterRoleBindings. Roles define permissions within namespaces, while ClusterRoles define cluster-wide permissions. RoleBindings grant Role permissions to users or groups within namespaces, and ClusterRoleBindings grant ClusterRole permissions cluster-wide. This dual-scope model enables both namespace-isolated and cluster-wide permission management.

The RBAC authorization model follows a default-deny approach where users have no permissions unless explicitly granted. This aligns with security best practices but requires careful permission management to avoid over-privileging. Every API request undergoes RBAC evaluation after authentication, checking whether the authenticated identity has permission for the requested action on the specified resource.

RBAC policies use verbs to define allowed actions on resources. Common verbs include get, list, watch, create, update, patch, and delete. Resources represent Kubernetes API objects like pods, services, or deployments. The combination of verbs and resources creates precise permission definitions. Understanding this verb-resource model helps create minimal necessary permissions following the principle of least privilege.