ClusterRole and ClusterRoleBinding are basically similar to Role and RoleBinding. Unlike how Role and RoleBinding are scoped into a single namespace, ClusterRole and ClusterRoleBinding are used to grant cluster-wide resources. Therefore, access to resources across all namespaces, non-namespaced resources, and non-resource endpoints can be granted to ClusterRole, and we can use ClusterRoleBinding to bind the users and the role.

We can also bind a service account with ClusterRole. As a service account is namespaced, we'll have to specify its full name, which includes the namespace it's created in:

system:serviceaccount:<namespace>:<serviceaccountname>

The following is an example of ClusterRole and ClusterRoleBinding. In this role, we grant all operations for lots of resources, such as deployments, replicasets, ingresses, pods, and services to it, and we limit the permission to read-only for namespaces and events:

# cat serviceaccount_clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cd-role
rules:
- apiGroups: ["extensions", "apps"]
  resources:
  - deployments
  - replicasets
  - ingresses
  verbs: ["*"]
- apiGroups: [""]
  resources:
  - namespaces
  - events
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources:
  - pods
  - services
  - secrets
  - replicationcontrollers
  - persistentvolumeclaims
  - jobs
  - cronjobs
  verbs: ["*"]---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cd-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cd-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: system:serviceaccount:default:chapter8-serviceaccount

In this case, we create a cd-role, which is the role for performing continuous deployment. Also, we create a ClusterRoleBinding to associate the service account chapter8-serviceaccount with cd-role.