RBAC is a core component of the Kubernetes cluster that allows us to create and grant roles to objects and control access to resources within the cluster. This recipe will help you understand the content of roles and role bindings.

Let's perform the following steps to view the default roles and role bindings in our cluster:

1. View the default cluster roles using the following command. You will see a long mixed list of system:, system:controller:, and a few other prefixed roles. system:* roles are used by the infrastructure, system:controller  roles are used by a Kubernetes controller manager, which is a control loop that watches the shared state of the cluster. In general, they are both good to know about when you need to troubleshoot permission issues, but they're not something we will be using very often:

$ kubectl get clusterroles
$ kubectl get clusterrolebindings

2. View one of the system roles owned by Kubernetes to understand their purpose and limits. In the following example, we're looking at system:node, which defines the permission for kubelets. In the output in Rules, apiGroups: indicates the core API group, resources indicates the Kubernetes resource type, and verbs indicates the API actions allowed on the role:

$ kubectl get clusterroles system:node -oyaml

3. Let's view the default user-facing roles since they are the ones we are more interested in. The roles that don't have the system: prefix are intended to be user-facing roles. The following command will only list the non-system: prefix roles. The main roles that are intended to be granted within a specific namespace using RoleBindings are the admin, edit, and view roles:

$ kubectl get clusterroles | grep -v '^system'
NAME AGE
admin 8d #gives read-write access
 to all resources
cluster-admin 8d #super-user, gives read-write access
 to all resources
edit 8d #allows create/update/delete on resources except RBAC permissions
kops:dns-controller 8d
kube-dns-autoscaler 8d
view 8d #read-only access to resources

4. Now, review the default cluster binding, that is, cluster-admin, using the following command. You will see that this binding gives the system:masters group cluster-wide superuser permissions with the cluster-admin role:

$ kubectl get clusterrolebindings/cluster-admin -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
...
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:masters

Since the Kubernetes 1.6 release, RBAC is enabled by default and new users can be created and start with no permissions until permissions are assigned by an admin user to a specific resource. Now, you know about the available default roles.

In the following recipes, you will learn how to create new Roles and RoleBindings and grant accounts the permissions that they need.