Kubernetes RBAC Cheat Sheet
Configuring Role-Based Access Control with Roles, ClusterRoles, and bindings to control who can do what in a cluster.
2 PagesAdvancedFeb 5, 2026
RBAC Objects
The four objects that make up Kubernetes RBAC.
- Role- Namespaced set of permissions (verbs on resources)
- ClusterRole- Cluster-scoped permissions, can also be used for namespaced resources across all namespaces
- RoleBinding- Grants a Role (or ClusterRole) to a subject within a specific namespace
- ClusterRoleBinding- Grants a ClusterRole to a subject across the entire cluster
Role - Read-only Pods
Grant get/list/watch on pods within a namespace.
yaml
apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata: namespace: staging name: pod-readerrules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch"]
RoleBinding
Bind the pod-reader Role to a specific user.
yaml
apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata: name: read-pods namespace: stagingsubjects: - kind: User name: jane@example.com apiGroup: rbac.authorization.k8s.ioroleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io
ServiceAccount + ClusterRoleBinding
Grant a workload's ServiceAccount permissions across the cluster.
yaml
apiVersion: v1kind: ServiceAccountmetadata: name: ci-deployer namespace: ci---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata: name: ci-deployer-bindingsubjects: - kind: ServiceAccount name: ci-deployer namespace: ciroleRef: kind: ClusterRole name: edit apiGroup: rbac.authorization.k8s.io
Debugging Permissions
Check what a user or service account is allowed to do.
bash
# Can I delete pods in the default namespace?kubectl auth can-i delete pods --namespace default# Check as a specific service accountkubectl auth can-i list secrets \ --as=system:serviceaccount:ci:ci-deployer -n ci# List all Roles/ClusterRoles bound to a subjectkubectl get rolebindings,clusterrolebindings -A -o wide
Pro Tip
Avoid binding the built-in `cluster-admin` ClusterRole to service accounts — grant the narrowest built-in role that fits (`view`, `edit`) or author a custom Role scoped to the exact verbs and resources the workload needs.
Was this cheat sheet helpful?
Explore Topics
#KubernetesRBAC#KubernetesRBACCheatSheet#DevOps#Advanced#RBACObjects#Role#Read#Only#Kubernetes#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech
Professional Web Designing Services
- Responsive Websites
- E-commerce Solutions
- SEO Friendly Design
- Fast & Secure
- Support & Maintenance