What is RBAC in Kubernetes?

Daniel Chernenkov
4 min readNov 8, 2019

RBAC stands for Role-Based Access Control. It is an approach that is used for restricting access to users and applications on the system/network. RBAC is used by Kubernetes for authorization, for example giving access to a user, adding/removing permissions and setting up rules, etc. So basically, it adds security to a Kubernetes cluster. RBAC in Kubernetes is the way that you restrict who can access what within the cluster.


Let’s see why you’re interested in Access Control. Well obviously, you have multiple people on your teams and they’re accessing your Kubernetes cluster. Each of them needs to have some amount of security from one another. There could be cases, where a member in your team is interfering with the other members, work accidentally, for example, one developer might accidentally delete someone else’s work or gain visibility into a secret project that’s being developed. In such cases, having Role-Based Access Control is mandatory.

When you think about the differences between developers and operators cluster administrators, it becomes even more clear that there are different capabilities that they need to be associated with different types of roles within a Kubernetes cluster. That is where the notion of RBAC or Role-Based Access Control comes into play.

RBAC schema model

RBAC got introduced from Kubernetes 1.8, it uses rbac.authorization.k8s.io API group for creating authorization policies. To enable RBAC manually for a Kubernetes cluster you need to start the cluster with the flag — authorization-mode=RBAC

By default, RBAC is enabled in Kubernetes. RBAC in Kubernetes infrastructure is implemented through Role, ClusterRole, RoleBinding, and ClusterRoleBinding. Let me tell you what they are with examples.


Role in Kubernetes Role-Based Access Control defines a notion of a verb like get or list and a set of nouns like pod volumes etc. So, a role defines what you can do to a set of resources. It contains a set of rules which define a set of permission.

I encourage people to check out all the different roles that are predefined inside of Kubernetes. There’s a lot of them that can give you an idea and you can even use to build up your own sort of access control and take a deep look into…

Daniel Chernenkov

Experienced software R&D exec delivering innovative products to millions worldwide. CTO at Iturintel / ex-CTO at RapidAPI