Roles and RolesBindings are always used in a defined namespace, meaning that the permissions can only be granted for the resources that are in the same namespace as the Roles and the RoleBindings themselves compared to the ClusterRoles and ClusterRoleBindings that are used to grant permissions to cluster-wide resources such as nodes.
Let's perform the following steps to create an example Role and RoleBinding in our cluster:
- First, create a namespace where we will create the Role and RoleBinding. In our example, the namespace is secureapp:
$ kubectl create ns secureapp
- Create a role using the following rules. This role basically allows all operations to be performed on deployments, replica sets, and pods for the deployer role in the secureapp namespace we created in Step 1. Note that any permissions that are granted are only additive and there are no deny rules:
$ cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: secureapp
name: deployer
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
EOF
- Create a RoleBinding using the deployer role and for the username john.geek in the secureapp namespace. We're doing this since a RoleBinding can only reference a Role that exists in the same namespace:
$ cat <<EOF | kubectl apply -f -
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: deployer-binding
namespace: secureapp
subjects:
- kind: User
name: john.geek
apiGroup: ""
roleRef:
kind: Role
name: deployer
apiGroup: ""
EOF
With that, you've learned how to create a new Role and grant permissions to a user using RoleBindings.