| name | rbac-design |
| type | skill |
| description | Design minimal-privilege RBAC for workloads, operators, and human access in multi-tenant clusters. |
| related-rules | ["workload-security.md"] |
| allowed-tools | Read, Write, Edit, Bash |
Skill: RBAC Design
Expertise: Kubernetes RBAC — service accounts, Roles, ClusterRoles, namespace isolation, human access patterns.
When to load
When onboarding a new service, setting up CI/CD cluster access, auditing permissions, or debugging "forbidden" API errors.
RBAC Object Hierarchy
ClusterRole → cluster-scoped permissions (nodes, PVs, namespaces)
Role → namespace-scoped permissions (pods, services, configmaps)
ClusterRoleBinding → binds ClusterRole to subject cluster-wide
RoleBinding → binds Role OR ClusterRole to subject in one namespace
Workload Service Account Pattern
apiVersion: v1
kind: ServiceAccount
metadata:
name: order-service
namespace: production
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789:role/order-service-prod
automountServiceAccountToken: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: order-service
namespace: production
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch"]
resourceNames: ["order-service-config"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
resourceNames: ["order-service-tls"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: order-service
namespace: production
subjects:
- kind: ServiceAccount
name: order-service
namespace: production
roleRef:
kind: Role
apiGroupv: rbac.authorization.k8s.io
name: order-service
Human Access Patterns
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: devs-view-staging
namespace: staging
subjects:
- kind: Group
name: developers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
Built-in ClusterRoles (use before creating custom)
| ClusterRole | Access level |
|---|
view | Read-only all namespaced resources |
edit | Read/write most namespaced resources; no RBAC |
admin | Full namespace access including RBAC |
cluster-admin | Full cluster access — never bind to apps |
CI/CD Access Pattern
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ci-deployer
rules:
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets"]
verbs: ["get", "list", "patch", "update"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
RBAC Audit Commands
kubectl auth can-i --list \
--as=system:serviceaccount:production:order-service \
-n production
kubectl who-can get secrets -n production
kubectl get rolebindings,clusterrolebindings -n production -o wide
kubectl auth can-i delete pods -n production \
--as=system:serviceaccount:production:order-service
Common Misconfigurations
| Mistake | Risk | Fix |
|---|
Using default ServiceAccount | All pods in namespace share permissions | Dedicate one SA per workload |
verbs: ["*"] | Full resource control | Enumerate exact verbs needed |
resources: ["*"] | Access to all resources | List explicitly |
Binding cluster-admin to CI | Breach = full cluster takeover | Use scoped ci-deployer ClusterRole |
automountServiceAccountToken: true (default) | Token injected into all pods | Set to false unless needed |