Best practices
-
September 30, 2025

Kubernetes RBAC

Jan Lepsky
Ahilya Kulkarni
mogenius office insights

Role-based access control (RBAC) involves authorizing end-user access to systems, applications, networks, or resources based on their predefined role within an organization. Instead of assigning permissions to each user individually, RBAC provides a simpler, manageable approach by allowing administrators to assign users a preconfigured set of permissions based on their job function or qualifications.

RBAC is essential in Kubernetes because even a small misconfigured permission can expose your cluster. It enforces the principle of least privilege by making sure that users, service accounts, and workloads only have access to the specific resources and operations they need. With RBAC, administrators can define fine-grained permissions through roles and then assign those roles to users, groups, or service accounts.

By the end of this article, you'll understand how Kubernetes's RBAC works and how it protects your cluster. You'll learn to write and bind RBAC policies using YAML, avoid common configuration mistakes, and debug permission issues using Kubernetes tools. You will also see how tools like mogenius help you manage RBAC visually and conveniently, making access control more intuitive and reducing reliance on complex YAML files.

Kubernetes RBAC: Core Concepts and Objects

In Kubernetes, as clusters grow in complexity with more users, teams, and services interacting with the system, managing access manually becomes risky and inefficient. RBAC gives you a consistent, scalable way to control access to Kubernetes resources based on clearly defined roles.

RBAC addresses three key challenges in Kubernetes environments:

  • Security: It limits access to only what is needed for each user or entity to do their job. This helps prevent unauthorized access or accidental changes to critical resources.
  • Compliance: Regulatory standards—such as SOC 2, HIPAA, and GDPR—often mandate strict controls over system access. RBAC provides a structured, auditable mechanism to enforce those controls.
  • Multitenancy: In environments where multiple teams or applications share a cluster, RBAC helps administrators to isolate access so one group's activities cannot interfere with another's resources.

The RBAC API defines four types of Kubernetes objects: Role, ClusterRole, RoleBinding, and ClusterRoleBinding. You can create, view, and update these using tools like kubectl. They're managed by the rbac.authorization.k8s.io API group, which lets you configure access permissions directly through the Kubernetes API.

Roles and ClusterRoles

A Role grants access to resources within a specific namespace. You must specify the namespace when creating one.

Role Example: Role to Read Pods in a Namespace

Here's an example Role in the "staging" namespace that can be used to grant read access to pods:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: staging
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]


A ClusterRole is not tied to any namespace. It can be used to:

  • grant access to cluster-wide resources
  • define access across all namespaces
  • define namespace-level permissions that can be reused in multiple namespaces

Example: ClusterRole for Node Read Access

This ClusterRole grants read-only access to all nodes at the cluster level:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-inspector
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch"]


To summarize, use a Role when you want to limit access within a namespace; use a ClusterRole in two cases:

  • When you want to grant access to cluster-scoped resources, such as nodes or persistent volumes
  • When you want to grant access to namespaced resources across multiple namespaces

RoleBinding and ClusterRoleBinding

Before you dive into bindings, it is important to understand the concept of a subject. A subject is the identity that receives the permissions granted by a Role or ClusterRole. There are three kinds of subjects in Kubernetes:

  • A user (e.g. john@example.com)
  • A group (e.g. dev-team)
  • A service account (used by workloads inside the cluster)

A RoleBinding grants the permissions defined in a role to one or more subjects. A ClusterRoleBinding applies the binding across all namespaces, granting cluster-wide access to the referenced subjects.

While a RoleBinding typically references a Role defined in the same namespace, it can also reference a ClusterRole. This allows you to create reusable permission sets (as ClusterRoles) and apply them selectively to namespaces via RoleBindings. Note that when a ClusterRole is referenced in a RoleBinding, the permissions granted are limited to the RoleBinding's namespace. If you want a ClusterRole to apply across the entire cluster, use a ClusterRoleBinding.

The name of a Role, ClusterRole, RoleBinding, and ClusterRoleBinding object must be a valid path segment name.

RoleBinding Example: Binding a Role

This RoleBinding gives user john permission to read Pods in the default namespace, assuming a Role named pod-reader already exists in that namespace:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: john  # case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io


RoleBinding Example: Referencing a ClusterRole

You can also bind a ClusterRole inside a namespace using a RoleBinding. In the following example, the ClusterRole config-reader is reused to give a service account the permission to view ConfigMaps in just the dev namespace:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-configmaps
  namespace: dev
subjects:
- kind: ServiceAccount
  name: dashboard-viewer
  namespace: dev
roleRef:
  kind: ClusterRole
  name: config-reader
  apiGroup: rbac.authorization.k8s.io


ClusterRoleBinding Example: Granting Access Across the Cluster

The following example binds the secret-reader ClusterRole to every user in the group ops-team, giving them permission to read Secrets in all namespaces:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ops-read-secrets
subjects:
- kind: Group
  name: ops-team
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io

Summary of Kubernetes RBAC Objects

<

Once you create a RoleBinding or ClusterRoleBinding, its roleRef is immutable, meaning you cannot change it later to point to a different Role or ClusterRole. If you try to do so, it triggers a validation error. This immutability prevents accidental or malicious privilege escalation by ensuring that once a subject is bound to a role, the nature of that role cannot change silently.

Kubernetes's RBAC works on an additive basis. If a user is bound to multiple roles, their effective permissions combine all rules granted by those roles. Kubernetes also uses a deny-by-default model. Granting access is always deliberate. Access is only granted if an explicit Role or ClusterRoleBinding authorizes the request.

Example RBAC Workflow

Imagine a developer named Alice is in the developers group. She wants to scale up a deployment named web-app in the production namespace by changing its replica count to 5.

She runs the following command:

kubectl patch deployment web-app -n production --patch='{"spec":{"replicas":5}}'

This sends a PATCH request to the Kubernetes API server, targeting the web-app deployment. The API server checks who's making the request. It authenticates Alice using her credentials (like a token or certificate) and confirms her identity as a user who belongs to the developers group.

Kubernetes also needs to determine if Alice is authorized to perform this action. Even though she is authenticated, being authorized is a separate step.

The system checks whether Alice or her group have update permissions on deployments in the production namespace. (Since this is a PATCH request, it maps to the verb update.)

Suppose the following RBAC policies are in place:

The first Role defines read-only access to deployments in the production namespace:

kind: Role
metadata:
  name: deployment-reader
  namespace: production
rules:
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch"]


This Role is then bound to the developers group using a RoleBinding:

kind: RoleBinding
metadata:
  name: developers-can-read
  namespace: production
subjects:
- kind: Group
  name: developers
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: deployment-reader
  apiGroup: rbac.authorization.k8s.io


As you can see, Alice has get, list, and watch permissions on deployments in the production namespace, allowing her to view deployment resources and observe changes. However, she does not have permissions to create, update, or delete, which are required for modification. As a result, any attempt to perform a PATCH request fails during the authorization phase.

Hence, Kubernetes responds with a 403 Forbidden error and a message:

deployments.apps "web-app" is forbidden: User "alice" cannot update resource "deployments" in API group "apps" in the namespace "production"


In short, Alice is authenticated but not authorized to make the change due to RBAC restrictions.

Common Pitfalls with Kubernetes RBAC and How to Avoid Them

RBAC provides fine-grained access control, but it can be prone to errors and easy to misconfigure. The following are some frequent mistakes that can lead to operational or security issues:

Granting Overly Broad Permissions

One of the most critical mistakes is assigning subjects—like users, groups, or service accounts—the built-in cluster-admin role. This effectively grants unrestricted access to the entire cluster. While convenient, this approach creates significant security vulnerabilities and increases the potential impact of security breaches or administrative errors. The recommended approach is to implement the principle of least privilege by defining custom Roles or ClusterRoles tailored to actual operational requirements.

Binding ClusterRoles Directly to Users

While Kubernetes allows direct user-to-ClusterRole bindings, it's not ideal. This approach leads to scattered one-off permissions that are difficult to track, audit, or manage at scale. Binding roles to well-defined user groups keeps permissions centralized, maintainable, and easier to update over time.

Creating Roles but Forgetting to Bind Them

A Role or ClusterRole by itself does nothing; it simply defines what is possible. You need to explicitly bind it using a RoleBinding or ClusterRoleBinding to assign those permissions to a subject. Skipping this step can cause confusion when users find they cannot perform actions they were "granted."

Troubleshooting Common RBAC Issues

Here are some ways to identify and resolve frequently occurring RBAC issues:

  • Use kubectl auth can-i to test permissions.
    Example: 
kubectl auth can-i delete pods --as user1

  • helps verify if user1 can delete pods.
  • Note: Using --as requires impersonate privileges for the user you are testing. Without it, the command may incorrectly report that the action is not allowed, even if the user does have the required permissions.
  • Check API server logs for authorization failures.
    Example: Look for entries like Forbidden: User "user1" cannot get resource "secrets" to identify blocked actions.
  • Describe role bindings to inspect how roles are mapped.
    Example:
kubectl describe rolebinding edit-binding

can show if the intended user/group is actually bound.

Reducing Complexity with Internal Developer Platforms

RBAC provides strong security boundaries in Kubernetes, but managing fine-grained access across users, namespaces, and clusters can be tedious and error-prone. As teams scale, the overhead of maintaining YAML files, synchronizing role definitions, and auditing access across environments often becomes a bottleneck.

An internal developer platform (IDP) helps centralize access control, network policies, and configuration standards, allowing developers to operate securely without needing deep Kubernetes expertise. mogenius is an IDP that directly addresses these challenges by automating RBAC and managing roles at the organization and workspace level using Kubernetes-native constructs behind the scenes.

mogenius defines two scopes of access: organizations and workspaces. Roles (Admin, Editor, and Viewer) are assigned visually in the mogenius UI, and the platform automatically provisions the corresponding Kubernetes Role and RoleBinding objects. This means teams do not need to define or apply YAML manually, and access remains consistent across environments.

mogenius has the following RBAC features:

  • Automatic role provisioning: Adding a user to a workspace or organization automatically creates the relevant Kubernetes Role and RoleBinding, mapped to common responsibilities:
    • Admins manage infrastructure, user access, and platform settings.
    • Editors can deploy, update, and restart services.
    • Viewers can inspect logs, configs, and resources but cannot make changes.
  • No manual YAML configuration: All access controls are managed via the UI, making audits easier and reducing human error.
  • Integrate with external identity providers: mogenius integrates with providers like Microsoft Entra ID. When group memberships change, access is updated automatically. When you deactivate a user in your IdP, their access to all Kubernetes clusters is revoked instantly, with no leftover credentials or manual cleanup.

Conclusion

By now, you have learned the core concepts of Kubernetes's RBAC: what roles and bindings are, how to write and apply them using YAML, how authorization decisions are made, and which pitfalls to avoid. You also explored troubleshooting techniques using tools like kubectl auth can-i and role/binding inspection. Most importantly, you understand that while RBAC offers powerful, fine-grained control, it requires careful management to avoid operational overhead and security risks.

The complexity of manual RBAC configuration is one reason why platforms that automate Kubernetes operations have become valuable. Tools like mogenius, which simplify environment provisioning and deployment workflows, also enhance RBAC management as part of their broader automation capabilities.

FAQ

How do I decide between a Role or ClusterRole?

A Role defines permissions scoped only to a specific namespace, whereas a ClusterRole applies cluster-wide, including all namespaces. For example, if you want to grant read access to pods only in the dev namespace, use a Role. If you need to allow listing nodes (a non-namespaced resource) or grant access to resources in multiple namespaces, use a ClusterRole.

Can I bind the same Role or ClusterRole to multiple users or service accounts?

Yes. You can reference the same Role or ClusterRole in multiple RoleBindings or ClusterRoleBindings, each with different subjects. This is a common pattern for reusing permission sets across teams or environments. Be mindful that permissions are additive, so if a user is included in multiple bindings, they get the union of all permissions granted.

Why am I getting "forbidden" errors even though I have created a RoleBinding?

Check the following:

 

  • The Role and RoleBinding are in the same namespace.
  • The subject (user/service account) matches exactly.
  • The Role contains all required verbs and resources.

What happens if I delete a Role but keep the RoleBinding?

The binding remains but becomes ineffective. Without the actual Role, there is nothing to enforce, and access will be denied.

Interesting Reads

Best practices
-
Jan Lepsky
-
April 15, 2025

Basic Kubernetes Troubleshooting: The Ultimate Guide

Learn to troubleshoot Kubernetes fast: From pod failures to network issues, this guide helps you fix cluster problems with real-world tips.
Best practices
-
Robert Adam
-
June 26, 2025

Kubernetes Management: Tools, Challenges & Best Practices

Simplify Kubernetes management with smart tools, real-world solutions, and the support that helps dev teams scale faster and work smarter.

The latest on DevOps and Platform
Engineering trends

Subscribe to our newsletter and stay on top of the latest developments

Object Scope Used For
Role Namespace Grants permissions within a single namespace
ClusterRole Cluster-wide Grants permissions across all namespaces or to cluster-scoped resources
RoleBinding Namespace