Penguin-KarChunTKarChunT

Cluster Role

Understand how to use Cluster role in Kubernetes.

Usage and Concept of Cluster Role

Reference

The concept of cluster role is similar to role, but the difference is that cluster role is not namespaced. It is used to grant permissions to resources across all namespaces. Cluster roles are useful for cluster-wide permissions.

  • cluster-scoped resources (like nodes, namespaces, etc.)
  • non-resource endpoints (like /healthz, /version, etc.)
  • namespaced resources (like pods, services, etc.) across all namespaces
    • For example, you can create a cluster role to grant access to all pods in all namespaces.
# list all resources under namespace
kubectl api-resources --namespaced=false
 
# this will help you to get the verb
kubectl api-resources --namespaced=false --sort-by name -o wide
NAMEAPIVERSIONKIND
componentstatusesv1ComponentStatus
namespacesv1Namespace
nodesv1Node
persistentvolumesv1PersistentVolume
mutatingwebhookconfigurationsadmissionregistration.k8s.io/v1MutatingWebhookConfiguration
validatingadmissionpoliciesadmissionregistration.k8s.io/v1ValidatingAdmissionPolicy
validatingadmissionpolicybindingsadmissionregistration.k8s.io/v1ValidatingAdmissionPolicyBinding
validatingwebhookconfigurationsadmissionregistration.k8s.io/v1ValidatingWebhookConfiguration
customresourcedefinitionsapiextensions.k8s.io/v1CustomResourceDefinition
apiservicesapiregistration.k8s.io/v1APIService
selfsubjectreviewsauthentication.k8s.io/v1SelfSubjectReview
tokenreviewsauthentication.k8s.io/v1TokenReview
selfsubjectaccessreviewsauthorization.k8s.io/v1SelfSubjectAccessReview
selfsubjectrulesreviewsauthorization.k8s.io/v1SelfSubjectRulesReview
subjectaccessreviewsauthorization.k8s.io/v1SubjectAccessReview
certificatesigningrequestscertificates.k8s.io/v1CertificateSigningRequest
flowschemasflowcontrol.apiserver.k8s.io/v1FlowSchema
prioritylevelconfigurationsflowcontrol.apiserver.k8s.io/v1PriorityLevelConfiguration
ingressclassesnetworking.k8s.io/v1IngressClass
runtimeclassesnode.k8s.io/v1RuntimeClass
clusterrolebindingsrbac.authorization.k8s.io/v1ClusterRoleBinding
clusterrolesrbac.authorization.k8s.io/v1ClusterRole
priorityclassesscheduling.k8s.io/v1PriorityClass
csidriversstorage.k8s.io/v1CSIDriver
csinodesstorage.k8s.io/v1CSINode
storageclassesstorage.k8s.io/v1StorageClass
volumeattachmentsstorage.k8s.io/v1VolumeAttachment

Now, from the above table, we can see that clusterroles and clusterrolebindings are under cluster scope, meaning that they are created within a cluster. So, we no need to specify the namespace while creating them.

Step 1: Create a Cluster Role

You can use the following command to get the verb for the resource.

kubectl api-resources --namespaced=false --sort-by name -o wide
clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: admin-reader
rules:
  - apiGroups: [""]
    resources: ["nodes"] # use * to allow all resources
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"] # accept namespaced resources as well
    verbs: ["get", "list", "watch"] # use * to allow all verbs
  - nonResourceURLs: ["/healthz", "/logs/*"]
    verbs: ["get"]
  • apiGroups - The API group of the resource. If you are not sure, you can see the above table (API Version).
  • resources: ["secrets"] - You can create a cluster role to grant access to all secrets in all namespaces. So, the user can access all secrets in all namespaces.
# You cannot create a role with different rules, as they will mix it up
kubectl create clusterrole admin-reader --verb=get,watch,list --resource=nodes
kubectl create clusterrole admin-reader --verb=get,watch,list --resource=secrets
kubectl create clusterrole admin-reader --verb=get --non-resource-url=/logs/*,/healthz
 
kubectl get clusterroles

Step 2: Create a Cluster Role Binding

Link the role to a user, group or service account.

rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-binding
subjects: # users, groups, or service accounts
  - kind: Group
    name: manager
    apiGroup: rbac.authorization.k8s.io
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin-reader # cluster role name
kubectl create clusterrolebinding admin-binding --role=admin-reader --group=manager
kubectl get clusterrolebinding
Edit on GitHub

Authorization

Understand the authorization mechanisms in Kubernetes.

Pod Security Policy

Understand how to use pod security policy in Kubernetes.

On this page