Role in Kubernetes contains a set of rules. A rule defines a set of permissions for certain operations and resources by specifying apiGroups, resources, and verbs. For example, the following role defines a read-only rule for configmaps:
# cat role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: configmap-ro
rules:
- apiGroups: ["*"]
resources: ["configmaps"]
verbs: ["watch", "get", "list"]
A RoleBinding is used to associate a role with a list of accounts. The following example shows we assign the configmap-ro role to a list of subjects. It only has the user linda in this case:
# cat rolebinding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: devops-role-binding
subjects:
- apiGroup: ""
kind: User
name: linda
roleRef:
apiGroup: ""
kind: Role
name: configmap-ro
Role and RoleBinding are namespaced. Their scope is only within a single namespace. For accessing cluster-wide resources, we'll need ClusterRole and ClusterRoleBinding.
For adding namespace into Role or RoleBinding, simply add a namespace field into the metadata in the configuration file.