bookmark_borderCluster Roles and Cluster Roles Binding in Kubernetes

The roles and role bindings are namespaced meaning they are created within namespaces. If you do not specify in namespace they are created in the default namespace and control access within the namespace.

In the namespace we can isolate resources like pods, deployments, and services. However, we can not isolate the nodes. The nodes are cluster-wide or cluster-scoped resources. They cannot be associated with any particular namespace. So the resources are categorized as either namespaced or cluster scoped. Thus, we need cluster roles and cluster roles binding

Namespaced vs Cluster scoped
$ kubectl api-resources --namespaced=true
NAME                        SHORTNAMES   APIGROUP                    NAMESPACED   KIND
bindings                                                             true         Binding
configmaps                  cm                                       true         ConfigMap
endpoints                   ep                                       true         Endpoints
events                      ev                                       true         Event
limitranges                 limits                                   true         LimitRange
persistentvolumeclaims      pvc                                      true         PersistentVolumeClaim
pods                        po                                       true         Pod
podtemplates                                                         true         PodTemplate
replicationcontrollers      rc                                       true         ReplicationController
resourcequotas              quota                                    true         ResourceQuota
secrets                                                              true         Secret
serviceaccounts             sa                                       true         ServiceAccount
services                    svc                                      true         Service
controllerrevisions                      apps                        true         ControllerRevision
daemonsets                  ds           apps                        true         DaemonSet
deployments                 deploy       apps                        true         Deployment
replicasets                 rs           apps                        true         ReplicaSet
statefulsets                sts          apps                        true         StatefulSet
localsubjectaccessreviews                authorization.k8s.io        true         LocalSubjectAccessReview
horizontalpodautoscalers    hpa          autoscaling                 true         HorizontalPodAutoscaler
cronjobs                    cj           batch                       true         CronJob
jobs                                     batch                       true         Job
stacks                                   compose.docker.com          true         Stack
leases                                   coordination.k8s.io         true         Lease
events                      ev           events.k8s.io               true         Event
ingresses                   ing          extensions                  true         Ingress
ingresses                   ing          networking.k8s.io           true         Ingress
networkpolicies             netpol       networking.k8s.io           true         NetworkPolicy
poddisruptionbudgets        pdb          policy                      true         PodDisruptionBudget
rolebindings                             rbac.authorization.k8s.io   true         RoleBinding
roles                                    rbac.authorization.k8s.io   true         Role
$ kubectl api-resources --namespaced=false
NAME                              SHORTNAMES   APIGROUP                       NAMESPACED   KIND
componentstatuses                 cs                                          false        ComponentStatus
namespaces                        ns                                          false        Namespace
nodes                             no                                          false        Node
persistentvolumes                 pv                                          false        PersistentVolume
mutatingwebhookconfigurations                  admissionregistration.k8s.io   false        MutatingWebhookConfiguration
validatingwebhookconfigurations                admissionregistration.k8s.io   false        ValidatingWebhookConfiguration
customresourcedefinitions         crd,crds     apiextensions.k8s.io           false        CustomResourceDefinition
apiservices                                    apiregistration.k8s.io         false        APIService
tokenreviews                                   authentication.k8s.io          false        TokenReview
selfsubjectaccessreviews                       authorization.k8s.io           false        SelfSubjectAccessReview
selfsubjectrulesreviews                        authorization.k8s.io           false        SelfSubjectRulesReview
subjectaccessreviews                           authorization.k8s.io           false        SubjectAccessReview
certificatesigningrequests        csr          certificates.k8s.io            false        CertificateSigningRequest
runtimeclasses                                 node.k8s.io                    false        RuntimeClass
podsecuritypolicies               psp          policy                         false        PodSecurityPolicy
clusterrolebindings                            rbac.authorization.k8s.io      false        ClusterRoleBinding
clusterroles                                   rbac.authorization.k8s.io      false        ClusterRole
priorityclasses                   pc           scheduling.k8s.io              false        PriorityClass
csidrivers                                     storage.k8s.io                 false        CSIDriver
csinodes                                       storage.k8s.io                 false        CSINode
storageclasses                    sc           storage.k8s.io                 false        StorageClass
volumeattachments                              storage.k8s.io                 false        VolumeAttachment

clusterroles

Cluster roles and cluster role bindings are just like roles except they are for a cluster scoped resources for example a cluster admin role can be created to provide a cluster administrator permissions to view create or delete nodes in a cluster.

The storage administrator role can be created to authorize a storage admin to create persistentvolumes

ClusterRole example

A ClusterRole can be used to grant the same permissions as a Role. Because ClusterRoles are cluster-scoped, you can also use them to grant access to:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: cluster-admin-example
rules:
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["list", "get", "create", "delete"]
$ kubectl create -f cluster-admin-role.yaml 
clusterrole.rbac.authorization.k8s.io/cluster-admin-example created

Link the cluster role binding the role binding object links the user to the role

ClusterRoleBinding example

To grant permissions across a whole cluster, you can use a ClusterRoleBinding. The following ClusterRoleBinding allows any user in the group “manager” to read secrets in any namespace.

apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
metadata:
  name: cluster-admin-role-binding-example
subjects:
- kind: User
  name: cluster-admin # Name is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: cluster-admin-example
  apiGroup: rbac.authorization.k8s.io
$ kubectl create -f cluster-admin-role-binding.yaml
clusterrolebinding.rbac.authorization.k8s.io/cluster-admin-role-binding-example created

Additionally, you can create a cluster role for namespace resources as well. When you do that the user will have access to these resources across all nameapaces.

  • Roles: a user to access objects like pods the user had access to the pods in a particular namespace.
  • Cluster Rules. when you authorize a user to access the objects like pods the user gets access to all pods across the cluster. Kubernetes creates a number od cluster roles by default.

View clusterroles and clusterrolebinding

$  kubectl get clusterroleNAME                                                                   AGE
admin                                                                  81d
cluster-admin                                                          81d
cluster-admin-example                                                  11m
compose-service                                                        81d
compose-stack-admin                                                    81d
compose-stack-edit                                                     81d
compose-stack-view                                                     81d
edit                                                                   81d
system:aggregate-to-admin                                              81d
system:aggregate-to-edit                                               81d
system:aggregate-to-view                                               81d
system:auth-delegator                                                  81d
system:basic-user                                                      81d
system:certificates.k8s.io:certificatesigningrequests:nodeclient       81d
system:certificates.k8s.io:certificatesigningrequests:selfnodeclient   81d
system:controller:attachdetach-controller                              81d
system:controller:certificate-controller                               81d
system:controller:clusterrole-aggregation-controller                   81d
system:controller:cronjob-controller                                   81d
system:controller:daemon-set-controller                                81d
system:controller:deployment-controller                                81d
system:controller:disruption-controller                                81d
system:controller:endpoint-controller                                  81d
system:controller:expand-controller                                    81d
system:controller:generic-garbage-collector                            81d
system:controller:horizontal-pod-autoscaler                            81d
system:controller:job-controller                                       81d
system:controller:namespace-controller                                 81d
system:controller:node-controller                                      81d
system:controller:persistent-volume-binder                             81d
system:controller:pod-garbage-collector                                81d
system:controller:pv-protection-controller                             81d
system:controller:pvc-protection-controller                            81d
system:controller:replicaset-controller                                81d
system:controller:replication-controller                               81d
system:controller:resourcequota-controller                             81d
system:controller:route-controller                                     81d
system:controller:service-account-controller                           81d
system:controller:service-controller                                   81d
system:controller:statefulset-controller                               81d
system:controller:ttl-controller                                       81d
system:coredns                                                         81d
system:csi-external-attacher                                           81d
system:csi-external-provisioner                                        81d
system:discovery                                                       81d
system:heapster                                                        81d
system:kube-aggregator                                                 81d
system:kube-controller-manager                                         81d
system:kube-dns                                                        81d
system:kube-scheduler                                                  81d
system:kubelet-api-admin                                               81d
system:node                                                            81d
system:node-bootstrapper                                               81d
system:node-problem-detector                                           81d
system:node-proxier                                                    81d
system:persistent-volume-provisioner                                   81d
system:public-info-viewer                                              81d
system:volume-scheduler                                                81d
view                                                                   81d
vpnkit-controller                                                      81d

$ kubectl get clusterrolebinding
NAME                                                   AGE
cluster-admin                                          81d
cluster-admin-role-binding-example                     5m31s
compose                                                81d
compose-auth-delegator                                 81d
compose-auth-view                                      81d
docker-for-desktop-binding                             81d
kubeadm:kubelet-bootstrap                              81d
kubeadm:node-autoapprove-bootstrap                     81d
kubeadm:node-autoapprove-certificate-rotation          81d
kubeadm:node-proxier                                   81d
storage-provisioner                                    81d
system:basic-user                                      81d
system:controller:attachdetach-controller              81d
system:controller:certificate-controller               81d
system:controller:clusterrole-aggregation-controller   81d
system:controller:cronjob-controller                   81d
system:controller:daemon-set-controller                81d
system:controller:deployment-controller                81d
system:controller:disruption-controller                81d
system:controller:endpoint-controller                  81d
system:controller:expand-controller                    81d
system:controller:generic-garbage-collector            81d
system:controller:horizontal-pod-autoscaler            81d
system:controller:job-controller                       81d
system:controller:namespace-controller                 81d
system:controller:node-controller                      81d
system:controller:persistent-volume-binder             81d
system:controller:pod-garbage-collector                81d
system:controller:pv-protection-controller             81d
system:controller:pvc-protection-controller            81d
system:controller:replicaset-controller                81d
system:controller:replication-controller               81d
system:controller:resourcequota-controller             81d
system:controller:route-controller                     81d
system:controller:service-account-controller           81d
system:controller:service-controller                   81d
system:controller:statefulset-controller               81d
system:controller:ttl-controller                       81d
system:coredns                                         81d
system:discovery                                       81d
system:kube-controller-manager                         81d
system:kube-dns                                        81d
system:kube-scheduler                                  81d
system:node                                            81d
system:node-proxier                                    81d
system:public-info-viewer                              81d
system:volume-scheduler                                81d
vpnkit-controller                                      81d
ANOTE.DEV