Managing permissions in Kubernetes is an essential step when preparing for the CKA exam. In this blog post, we will cover how to create a ServiceAccount, a ClusterRole, and bind them together using a RoleBinding.

What Is RBAC in Kubernetes?

Kubernetes uses Role-Based Access Control (RBAC) to define who can do what within the cluster.

You typically work with four main RBAC objects:

  • Role – namespaced permissions
  • ClusterRole – cluster-wide permissions
  • RoleBinding – binds a Role/ClusterRole to a subject within one namespace
  • ClusterRoleBinding – binds a ClusterRole cluster-wide

In this example, we will:

  • Create a ServiceAccount
  • Create a ClusterRole
  • Bind the ClusterRole to the ServiceAccount using a RoleBinding

Step 1:Create ServiceAccount

First, we are going to create a ServiceAccount on the default namespace, create a YAML file sa.yaml, and copy the below content to it

apiVersion: v1
kind: ServiceAccount
metadata:
  name: cluster-service-account
  namespace: default

Run the following command to create the ServiceAccount.

kubectl apply -f sa.yaml

This file creates a ServiceAccount cluster-service-account in the default namespace.

Step 2:Create ClusterRole

Define reusable permissions that can be applied cluster-wide or within specific namespaces, clusterrole.yaml, and copy the content 

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pod-reader-role
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "list"]

Run the following command to create a role

kubectl apply -f clusterrole.yaml

This ClusterRole grants read-only access to pods and services. Since these are namespaced resources, the RoleBinding will correctly restrict access to a specific namespace.

Step 3: Bind the ClusterRole Using a RoleBinding

A RoleBinding links a ClusterRole to a subject (ServiceAccount, User, or Group), but limits the permissions to the namespace where the RoleBinding exists.

Create a YAML file rolebinding.yaml and copy the content below

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods-services
  namespace: default
subjects:
- kind: ServiceAccount
  name: cluster-service-account
  namespace: default
roleRef:
  kind: ClusterRole
  name: pod-reader-role
  apiGroup: rbac.authorization.k8s.io

Run the following to bind the clusterrole to the serviceaccount

kubectl apply -f rolebinding.yaml

The cluster service account can now access pods and services only within the default namespace.

Step 4:Verify the Permissions

Verify if the ServiceAccount has the proper permissions:

kubectl auth can-i list pods \
  --as=system:serviceaccount:default:cluster-service-account \
  -n default

Output:

root@controlplane# kubectl auth can-i list pods \
  --as=system:serviceaccount:default:cluster-service-account \
  -n default
yes

Check the different namespace:

kubectl auth can-i list pods \
  --as=system:serviceaccount:default:cluster-service-account \
  -n kube-system

Output:

root@controlplane# kubectl auth can-i list pods \
  --as=system:serviceaccount:default:cluster-service-account \
  -n kube-system
no

Conclusion

In Kubernetes, with the help of ClusterRole, you can control the access given to a user on the cluster.

I hope this quick guide helps you to set up ClusterRole and bind the role to a serviceaccount.