02 November 2022

RBACs in Kubernetes

Security should be our top priority. In Kubernetes, role-based access control is used to grant users access to API resources. RBAC is a security design that restricts access to Kubernetes resources based on the roles.

There are two ways we can restrict and add RBAC policies

1. Namespace-wide RBAC policies

defining manifests to implement RBAC policies at the namespace level

with the above example, you have restricted the access to a specific namespace(myapp) for a specific application(Istio) linked with a serviceAccount deployed in the myapp namespace, but if you wish to access the resource of another namespace say myapp2 you will get a 403 forbidden error. 

2. Cluster-wide RBAC policies
ClusterRoles are similar to Roles however when assigned to a ServiceAccount can give cluster-wide permissions to access other resources in it. 

defining manifests to implement RBAC policies at cluster-wide level

with the above example, we have implemented clusterRoles to a ServiceAccount to access resources at a cluster-wide level.


if the user tries to access another namespace or system namespace like (kube-system). definitely, it will throw a forbidden error because when we create this user/SA only have access to myapp & myapp2 namespace. Usually, developers no need access to the system namespace (kube-system).