RoleBinding (rolebinding)
- Grants permissions within a specific namespace
- A Role Binding allows actions only in the same namespace in which it has been created
Remember: Kubernetes does not handle Identity Management. Therefore "Users" and "Groups" are not Kubernetes native objects
Properties
subjects
- The listed subjects will have the
rolebind to -
Subject contains a reference to the
objectoruser identities -
Objects
- ServiceAccount (core)
- User Identities
- User (rbac.authorization.k8s.io)
- Group (rbac.authorization.k8s.io)
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: ServiceAccount
name: my-sa
namespace: default # optional ("default" by default)
apiGroup: "" # "" (core) is the already the default for ServiceAccounts
- kind: User
name: henry # The name is case sensitive for Users and Groups
apiGroup: rbac.authorization.k8s.io # "rbac.authorization.k8s.io" is the already the default for Users and Groups
# namespace should be omitted for Users and Groups
- kind: Group
name: developers
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
roleRef
- This field is immutable. If you need to change you need to recreate the RoleBinding
- roleRef should either be:
- A
ClusterRolein the global namespace - A
Rolein the same namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: henry
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io # optional (rbac.authorization.k8s.io by default)