RBAC Patterns and Best Practices

Common RBAC Patterns

Pattern 1: Read-Only Access

yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: read-only
rules:
  - apiGroups: ["", "apps", "batch"]
    resources: ["*"]
    verbs: ["get", "list", "watch"]

Pattern 2: Namespace Admin

yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: namespace-admin
  namespace: production
rules:
  - apiGroups: ["", "apps", "batch", "extensions"]
    resources: ["*"]
    verbs: ["*"]

Pattern 3: Deployment Manager

yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: deployment-manager
  namespace: production
rules:
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]

Pattern 4: Secret Reader (ServiceAccount)

yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: secret-reader
  namespace: production
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get"]
    resourceNames: ["app-secrets"] # Specific secret only
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: app-secret-reader
  namespace: production
subjects:
  - kind: ServiceAccount
    name: my-app
    namespace: production
roleRef:
  kind: Role
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io

Pattern 5: CI/CD Pipeline Access

yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cicd-deployer
rules:
  - apiGroups: ["apps"]
    resources: ["deployments", "replicasets"]
    verbs: ["get", "list", "create", "update", "patch"]
  - apiGroups: [""]
    resources: ["services", "configmaps"]
    verbs: ["get", "list", "create", "update", "patch"]
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list"]

ServiceAccount Best Practices

Create Dedicated ServiceAccounts

yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-app
  namespace: production
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  template:
    spec:
      serviceAccountName: my-app
      automountServiceAccountToken: false # Disable if not needed

Least-Privilege ServiceAccount

yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: my-app-role
  namespace: production
rules:
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get"]
    resourceNames: ["my-app-config"]

Security Best Practices

Use Roles over ClusterRoles when possible
Specify resourceNames for fine-grained access
Avoid wildcard permissions (*) in production
Create dedicated ServiceAccounts for each app
Disable token auto-mounting if not needed
Regular RBAC audits to remove unused permissions
Use groups for user management
Implement namespace isolation
Monitor RBAC usage with audit logs
Document role purposes in metadata

Troubleshooting RBAC

Check User Permissions

bash

kubectl auth can-i list pods --as [email protected]
kubectl auth can-i '*' '*' --as system:serviceaccount:default:my-app

View Effective Permissions

bash

kubectl describe clusterrole cluster-admin
kubectl describe rolebinding -n production

Debug Access Issues

bash

kubectl get rolebindings,clusterrolebindings --all-namespaces -o wide | grep my-user

Common RBAC Verbs

get - Read a specific resource
list - List all resources of a type
watch - Watch for resource changes
create - Create new resources
update - Update existing resources
patch - Partially update resources
delete - Delete resources
deletecollection - Delete multiple resources
* - All verbs (avoid in production)

Resource Scope

Cluster-Scoped Resources

Nodes
PersistentVolumes
ClusterRoles
ClusterRoleBindings
Namespaces

Namespace-Scoped Resources

Pods
Services
Deployments
ConfigMaps
Secrets
Roles
RoleBindings