Cluster Role and Bindings

Cluster roles are used to define permissions on resources across namespaces and at cluster level scope. However, it can be used for namespaced resources as well. It involves creating roles of type ClusterRole and bindings of type ClusterRoleBinding.

Following shows an simple example of cluster role that gives access to cluster nodes.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-reader-role
rules:
  - apiGroups:
      - ""
    resources:
      - "nodes"
    verbs:
      - "create"
      - "list"
      - "delete"
      - "watch"
      - "get"

Following shows the role binding for node reader.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: node-reader-rolebinding
subjects: 
  - kind: ServiceAccount
    name: node-admin
    namespace: learning
roleRef:
  name: node-reader-role
  kind: ClusterRole
  apiGroup: rbac.authorization.k8s.io

And service account as follows.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: node-admin
  namespace: learning

So service account node-admin can access operations on nodes. We can verify this using command,

➤ k auth can-i list node --as "system:serviceaccount:learning:node-admin"
Warning: resource 'nodes' is not namespace scoped

yes

It shows warning because we are using service account in learning namespace to access cluster scope resource.