Interactive Lab · CKA + CKS Topic · Intermediate

RBAC DEEP DIVE

$ kubectl create role developer --verb=get,list --resource=pods

🔐 Step 1 Create a Role

1A Role defines a set of permissions within a specific namespace. It says "who can do what on which resources".
2Key fields: rules[].verbs (get, list, create, delete), rules[].resources (pods, services, deployments).
3This Role allows reading pods and services in the default namespace. Try adding create to the verbs list, then apply.

💡 A Role only works within its namespace. For cluster-wide permissions, use a ClusterRole instead.

role.yaml

Cluster State

Role

Not created

Pending

terminalLIVE

🌐 Step 2 Create a ClusterRole

1A ClusterRole applies cluster-wide. It can grant access to resources in any namespace, or to non-namespaced resources like Nodes.
2Notice there is no namespace field in the metadata. ClusterRoles are cluster-scoped by definition.
3Add nodes to the resources list. Nodes are non-namespaced and only accessible via ClusterRole, not Role.

💡 Use ClusterRoles when you need to grant the same permissions across all namespaces, or access to cluster-level resources like nodes and namespaces.

clusterrole.yaml

Cluster State

ClusterRole

Not created

Pending

terminalLIVE

🔗 Step 3 Bind the Role to a User

1A RoleBinding connects a Role or ClusterRole to a subject: a User, Group, or ServiceAccount.
2The subjects field defines who gets the permissions. The roleRef defines what permissions they get.
3Change the subject name from jane to a different user name and apply. The binding stays in the same namespace as the Role.

💡 You can bind a ClusterRole using a RoleBinding to limit it to a specific namespace, or use a ClusterRoleBinding for full cluster access.

rolebinding.yaml

Cluster State

Role

Not created

Pending

RoleBinding

Not created

Pending

terminalLIVE

✅ Step 4 Test Permissions with auth can-i

1kubectl auth can-i is your best friend for verifying RBAC. It tells you immediately if a user can perform an action.
2The --as flag lets you impersonate any user to check their permissions without logging in as them.
3Click each test below to simulate running the command and see the result.

Permission Flow

👤

User

jane

→

via RoleBinding

📋

Role

pod-reader

→

grants

🔐

Permissions

get, list pods

Quick Reference

Key Differences

RoleNamespaced. Grants permissions within one namespace only.

ClusterRoleCluster-wide. Works across all namespaces and for non-namespaced resources.

RoleBindingBinds Role or ClusterRole to subjects within a namespace.

ClusterRoleBindingBinds ClusterRole to subjects cluster-wide.

Common Verbs

getRead a single specific resource by name.

listList all resources of a type.

watchStream changes to resources in real time.

createCreate a new resource.

updateModify an existing resource.

deleteRemove a resource.

*Wildcard all verbs. Use with caution.

kubectl Commands

get rolesList all roles in current namespace.

get clusterrolesList all cluster roles.

describe role <name>Show what a role can do.

auth can-i <verb> <resource>Test your own permissions.

auth can-i <verb> <resource> --as <user>Test another user's permissions.

Subject Types

UserA human user authenticated to the cluster.

GroupA group of users. system:masters gives cluster admin.

ServiceAccountAn identity for a pod or process running inside the cluster.