In this blog, we are going to explore Role and RoleBinding on Kubernetes with hands-on.
In Kubernetes, we can see two types of objects, which are Cluster-scoped and Namespace-scoped.
As an admin, if I want to give a user access to particular objects on a particular Namespace with certain permission, I can use the Role and RoleBinding.
For example, In my cluster, I have a Namespace called Prometheus-operator
.
kubectl get all -n prometheus-operator

A lot of objects are available in that Namespace, I could list all of them because I am an admin user.
kubectl auth can-i delete pods -n prometheus-operator
If I use this command, I can see yes
output on the terminal, as an admin I can do anything on this Namespace.
Now, I am going to create a Service Account, assign certain permission and see how that works on.
Step 1: Create a Service Account
Let’s create a Service Account to test Role Based Access Control (RBAC) on Cluster
cat << EOF > sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: read-user
namespace: prometheus-operator
EOF
kubectl apply -f sa.yaml
Step 2: Create a Role Object
Now, I am creating a Role with read-only permission to this Namespace.
cat << EOF > role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: prometheus-operator
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
EOF
I am giving permission only to list the Pods of the prometheus-operator
Namespace.
kubectl apply -f role.yaml
Step 3: Create a Role Binding Object
We have created a Role with the required permission, so now, we have to bind it with the Namespace and the ServiceAccount using the RoleBinding object.
cat << EOF > rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods-role-binding
namespace: prometheus-operator
subjects:
- kind: ServiceAccount
name: read-user
namespace: prometheus-operator
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
EOF
RoleBinding object will connect the Service Account and the Role together.
kubectl apply -f rolebinding.yaml
To get the details about the Role Binding after successfully completing the deployment.
kubectl describe rolebindings.rbac.authorization.k8s.io -n prometheus-oper
ator read-role-binding
The setup is completed so let’s check the Pods can be listed by read-user
Service Account.
kubectl get pods -n prometheus-operator --as=system:serviceaccount:prometheus-operator:read-user
We know that this Service Account doesn’t have permission more than listing Pods in this Particular Namespace.
kubectl get svc -n prometheus-operator --as=system:serviceaccount:pr
ometheus-operator:read-user
I have tried to list the available Service objects but I am facing an error.
Conclusion
RBAC is one of the methods of Authorization on Kubernetes, to knowing about Role and RoleBinding is important for those who are working on Kubernetes as well as interested in Kubernetes If you are preparing for the CKA certification, you might face questions related to the RBAC.