100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

What is Kubernetes RBAC and How Does It Work?

Learn how Kubernetes RBAC grants access via Roles and RoleBindings, its deny-by-default model, and least-privilege design for an interview answer.

mediumQ55 of 224 in DevOps Est. time: 6 minsLast updated:
Open Code Lab

Expected Interview Answer

Kubernetes RBAC (Role-Based Access Control) is an authorization mechanism that grants subjects โ€” users, groups, or service accounts โ€” permission to perform specific verbs on specific resources by binding a Role or ClusterRole to that subject through a RoleBinding or ClusterRoleBinding.

A Role defines a set of rules scoped to a single namespace, each rule listing apiGroups, resources, and verbs such as get, list, watch, create, update, or delete; a ClusterRole is the same idea but scoped cluster-wide or reusable across namespaces. Neither a Role nor a ClusterRole grants anything on its own โ€” it must be attached to a subject via a RoleBinding (namespace-scoped grant) or a ClusterRoleBinding (cluster-wide grant). The Kubernetes API server evaluates every request against these bindings and denies by default: if no rule explicitly allows the verb-resource combination, access is refused. This additive, deny-by-default model lets teams apply least-privilege access, for example granting a CI service account create/update rights only on Deployments in one namespace rather than blanket admin access.

  • Enforces least-privilege access per namespace or cluster-wide
  • Separates identity (subject) from permission (Role) via bindings, enabling reuse
  • Deny-by-default reduces the blast radius of a compromised credential
  • Auditable, declarative YAML that fits into GitOps workflows

AI Mentor Explanation

RBAC is like a stadium issuing role-specific accreditation passes instead of one master key to the ground. A groundskeeper pass permits entry to the pitch and covers only, a broadcaster pass permits camera positions only, and neither pass alone grants access โ€” security checks the pass against a list before opening any gate. A team management staffer might be issued a pass valid across every ground the franchise plays at, which mirrors a cluster-wide grant rather than one limited to a single stadium. Without an issued pass matching the exact gate and purpose, security refuses entry by default, no exceptions assumed.

Step-by-Step Explanation

  1. Step 1

    Define a Role or ClusterRole

    List apiGroups, resources, and verbs the rule should allow โ€” scoped to a namespace (Role) or cluster-wide (ClusterRole).

  2. Step 2

    Identify the subject

    A user, group, or ServiceAccount that needs the permission โ€” service accounts are the common subject for workloads.

  3. Step 3

    Create a binding

    A RoleBinding attaches a Role (or ClusterRole) to the subject within one namespace; a ClusterRoleBinding attaches it cluster-wide.

  4. Step 4

    API server enforces it

    Every API request is authorized against the bound rules; anything not explicitly allowed is denied by default.

What Interviewer Expects

  • Clear distinction between Role/ClusterRole (permissions) and RoleBinding/ClusterRoleBinding (grants)
  • Understanding that RBAC is deny-by-default and additive-only
  • Knowledge that ServiceAccounts are the typical subject for workload permissions
  • Ability to describe least-privilege design, e.g. namespace-scoped Roles over broad ClusterRoles

Common Mistakes

  • Confusing a Role with a RoleBinding, or assuming defining a Role alone grants access
  • Using a ClusterRoleBinding when a namespace-scoped RoleBinding would suffice
  • Forgetting that a ClusterRole can still be bound namespace-locally via a RoleBinding
  • Granting wildcard verbs/resources instead of the specific minimum needed

Best Answer (HR Friendly)

โ€œRBAC is how Kubernetes controls who can do what. We define a Role that lists specific permissions, then bind that Role to a specific user or service account. Nothing is allowed unless it is explicitly granted, which lets us give each team or automated process only the exact access it needs and nothing more.โ€

Code Example

Namespace-scoped Role and RoleBinding for a CI service account
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: staging
  name: deployment-updater
rules:
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ci-deploy-binding
  namespace: staging
subjects:
  - kind: ServiceAccount
    name: ci-bot
    namespace: staging
roleRef:
  kind: Role
  name: deployment-updater
  apiGroup: rbac.authorization.k8s.io

Follow-up Questions

  • What is the difference between a Role and a ClusterRole?
  • How would you audit which ServiceAccounts have cluster-admin access?
  • When would you use a ClusterRoleBinding instead of a RoleBinding?
  • How does RBAC interact with admission controllers like OPA/Gatekeeper?

MCQ Practice

1. What does a Kubernetes Role define on its own?

A Role only defines rules; it grants no access until attached to a subject via a RoleBinding.

2. What is the default authorization behavior in Kubernetes RBAC when no rule matches a request?

RBAC is deny-by-default: any verb/resource combination not explicitly allowed by a bound rule is rejected.

3. Which binding type grants a ClusterRole's permissions only within a single namespace?

A RoleBinding can reference a ClusterRole to reuse its rule set but scope the grant to just one namespace.

Flash Cards

What does a Role define? โ€” Allowed verbs on resources within a namespace โ€” grants nothing until bound to a subject.

What links a Role to a user? โ€” A RoleBinding (or ClusterRoleBinding for cluster-wide scope).

RBAC default behavior? โ€” Deny by default โ€” only explicitly allowed actions succeed.

Typical subject for workload permissions? โ€” A Kubernetes ServiceAccount.

1 / 4

Continue Learning