1.21 Kubernetes RBAC Definition
Kubernetes RBAC defines role-based access control, enabling fine-grained permissions management within containerized environments.
Kubernetes RBAC Definition is the precise characterization of Role-Based Access Control as an authorization model built from two paired kinds of objects, Roles that enumerate permitted actions on resources and Bindings that attach those permissions to specific identities, defined so that no permission takes effect until both halves, the role and its binding, exist together.
Roles Defined as Permission Sets
Verbs Against Resources
A Role is defined as a list of rules, each specifying a set of API groups, resources, and verbs, describing what actions, such as get, list, create, or delete, are permitted against which resource types; a Role by itself grants nothing until it is bound to an identity.
Namespace Scope vs. Cluster Scope
A Role is defined as namespaced, granting permissions only within the single namespace it belongs to, while a ClusterRole is defined without namespace scope, capable of granting permissions across the whole cluster or against cluster-scoped resources.
Bindings Defined as the Activating Mechanism
Connecting Identity to Permission
A RoleBinding or ClusterRoleBinding is defined as the object that associates a Role or ClusterRole with one or more subjects, such as users, groups, or service accounts; permission is defined to exist only for the combination of a role and an active binding, never for a role alone.
RoleBinding Can Reference a ClusterRole
A RoleBinding is defined such that it can reference either a Role or a ClusterRole, in the latter case scoping the otherwise cluster-wide permissions of that ClusterRole down to just the namespace the RoleBinding exists in, a pattern used to reuse a single ClusterRole definition across many namespaces.
Additive Evaluation as a Defining Rule
No Explicit Deny
RBAC is defined around purely additive evaluation: permissions granted by different roles and bindings accumulate, and there is no mechanism within RBAC itself for an explicit deny rule to override a grant made elsewhere.
Absence Means No Access
Because evaluation is additive only, the definition implies that any action not explicitly granted by some applicable role and binding is denied by default, making omission, not explicit denial, the mechanism by which access is withheld.
What RBAC Definition Does Not Cover
Not Authentication
RBAC is defined strictly as an authorization mechanism, operating only after an identity has already been established through authentication; it plays no role in verifying who a requester is, only in deciding what an already-identified requester may do.
Not the Only Authorization Mechanism
While RBAC is the predominant authorization mode, Kubernetes's authorization model is defined to support other mechanisms as well, meaning RBAC should be understood as one specific, widely used implementation of the broader authorization step rather than as authorization itself.