RBAC and Access Control (least privilege)

Implement least-privilege RBAC for humans and workloads, and debug access errors quickly using auth can-i.

On this page

RBAC Operator Rules

Prefer namespace-scoped Roles for apps; avoid ClusterRole unless needed.
Bind to ServiceAccounts, not user tokens embedded in apps.
Use auth can-i for fast permission debugging.

Inspect RBAC

kubectl -n <ns> get sa
kubectl -n <ns> get role,rolebinding
kubectl get clusterrole,clusterrolebinding | head -50

Permission Debugging

kubectl auth can-i get pods -n <ns>
kubectl auth can-i create deployments.apps -n <ns>

# as a specific serviceaccount
kubectl auth can-i get secrets -n <ns> --as=system:serviceaccount:<ns>:<sa>

Failure Modes

Over-broad bindings (cluster-admin) → high blast radius.
Under-permissioned workloads → crash loops due to forbidden errors.

← NetworkPolicy and Traffic Control

etcd Basics and Backup Strategy →