Sign in Subscribe
Concepts

Kubectl RBAC: Controlling Access and Protecting Your Kubernetes Cluster

Andrios Robert

1 min read

This is the moment you understand the power of kubectl and RBAC.

Role-Based Access Control (RBAC) is the security model in Kubernetes that governs who can do what. Combined with kubectl, RBAC defines the command-line boundaries between safety and chaos. Without it, a single command can destroy production. With it, every user has only the permissions they need, nothing more.

What Kubectl RBAC Does

kubectl is your interface to the Kubernetes API. RBAC is enforced server-side. When you run any kubectl command, the API server checks your identity against RBAC rules. It evaluates:

  • Roles: Sets of permissions (verbs like get, list, create).
  • RoleBindings and ClusterRoleBindings: Assign roles to users, groups, or service accounts.
  • Subjects: The entities that can perform those actions.

If the RBAC policy denies your verb-object combination, the command fails. This is intentional. It is protection baked into the platform.

Defining Kubectl RBAC Rules

You can create a role in YAML that controls specific resources. Example:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
 namespace: dev
 name: pod-reader
rules:
- apiGroups: [""]
 resources: ["pods"]
 verbs: ["get", "list", "watch"]

Then bind that role to a user:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
 name: read-pods
 namespace: dev
subjects:
- kind: User
 name: dev-user
 apiGroup: rbac.authorization.k8s.io
roleRef:
 kind: Role
 name: pod-reader
 apiGroup: rbac.authorization.k8s.io

Apply these with kubectl apply -f <file> and the RBAC rules lock into place.

Best Practices for Kubectl RBAC

  • Use least privilege: grant only required verbs and resources.
  • Separate environments with namespaces, and scope roles accordingly.
  • Audit RBAC policies with kubectl get roles,rolebindings,clusterroles,clusterrolebindings --all-namespaces.
  • Rotate service account tokens and remove unused bindings.
  • Test permissions with kubectl auth can-i <verb> <resource> --namespace=<ns>.

Why It Matters

In production, RBAC is the difference between controlled access and accidental disaster. With granular control, you define the safety perimeter. With correct rules, you can delegate tasks without fear of unauthorized actions.

Control your cluster. Protect your workloads.
See Kubectl RBAC in action with hoop.dev — connect, configure, and enforce RBAC in minutes.