Sign in Subscribe
Concepts

K9s Role-Based Access Control (RBAC)

Andrios Robert

1 min read

The cluster was alive with traffic. Pods spun up and down in seconds, services shifted, permissions tightened and loosened. You are in the middle of it, running K9s, but one fact hits hard—without Role-Based Access Control (RBAC), this view can become a security hole.

K9s Role-Based Access Control (RBAC) is not an optional feature. It is the line between operational clarity and uncontrolled access. RBAC works by binding Kubernetes roles and cluster roles to specific service accounts. K9s respects Kubernetes permissions exactly. If an account has read-only access to a namespace, K9s will only show what the role allows. If the role has pod delete permissions, K9s will let that action happen.

To configure K9s RBAC, start in Kubernetes.

  1. Create a Role or ClusterRole that defines allowed API actions—get, list, watch, create, delete.
  2. Bind the role to a service account using a RoleBinding or ClusterRoleBinding.
  3. Generate a kubeconfig pointing to that service account credentials.
  4. Open K9s with that kubeconfig.

K9s will use the exact restrictions set in Kubernetes. This ensures that operators cannot bypass RBAC rules in the tool. Logs, exec shells, and resource edits all require explicit permissions in the RBAC policy.

Proper RBAC in K9s improves auditability. All actions match the Kubernetes API server logs. Every denied command in K9s is not a bug—it is RBAC doing its job. When designing these roles, lean toward least privilege first, then grant more power only if required.

Common pitfalls include:

  • Forgetting to bind roles to the correct namespace.
  • Giving ClusterRole permissions when namespace-specific Role permissions would be safer.
  • Not rotating service account tokens, which can undermine RBAC if leaked.

A tight K9s RBAC setup scales across teams. Developers can inspect only their resources, ops can manage clusters without exposing sensitive namespaces, and managers can trust that no one operates outside policy.

Set it up, lock it down, and see it work without delay. Try K9s Role-Based Access Control live with hoop.dev, and get your secure, fully functional setup running in minutes.