Kubernetes RBAC

Table of Contents

Kubernetes user setup (certification-based authentication) and RBAC setup of the same user.


  • kubectl is a client. It need connection information to communicate with a kubernetes cluster.
  • <USER>, <GROUP> in this docunment are NOT OS(linux/windows) level user/group.

Authentication - User Management

  • k8s provides no api objects for users
    • Certificate-based authentication
    • Token-based authentication
    • Basic authentication
    • OAuth2

We will focus on Certificate-based authentication.

Certification-Based Authentication

Cluster CA

  • Public certificate location:

  • Private key location:


Certificate signed by this CA will be accepted by the Kubernetes API.

Create User (Certificate with OpenSSL)

  • Certificate Common Name (CN): Kubernetes use this as <USER>.
  • Certificate Organization (O): Kubernetes use this as <GROUP>.

User & Admin Steps:

  1. User: Create private key.

    openssl genrsa -out <USER>.key 2048
  2. User: Create certificate signing request (CSR).

    openssl req -new -key <USER>.key -out <USER>.csr -subj "/CN=<USER>/O=<GROUP>"

    A <USER> can have multiple groups:

    openssl req -new -key <USER>.key -out <USER>.csr -subj "/CN=<USER>/O=<GROUP>/O=<GROUP>/O=<GROUP>"
  3. User: send <USER>.key to Kubernetes administrator.

  4. Admin: Create certificate from CSR using Cluster Key

    openssl x509 -req -in <USER>.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out <USER>.crt -days 3650
  5. Admin: Send <USER>.crt to user.

  6. User: Create kubectl config.

    Add cluster to kubectl config. (Associate a cluster name with cluster CA and server information.)

    kubectl config \
     set-cluster <CLUSTER-NAME> \
     --certificate-authority=/etc/kubernetes/pki/ca.crt \
     --embed-certs=true \

    Add credential to kubectl config. (Associate a certificate with a user name.)

    kubectl config \
     set-credentials <USER> \
     --client-certificate=<USER>.crt \
     --client-key=<USER>.key \

    Add context to kubectl config. (Associate a context name with a user, cluster pair.)

    kubectl config \
     set-context <CONTEXT-NAME> \
     --cluseter=<CLUSTER-NAME> \

    Set context to current(active). (Context is not set to current when created.)

    kubectl config \
     use-context <CONTEXT-NAME> \

PS: At this point kubectl can communicat with the cluster(authenticated), but forbidden to perform any action(not authorized).

Authorization - Role Base Access Control (RBAC)

Kubernetes RBAC has Role and ClusterRole. A simple Role example is shown below.

Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/

For Helm RBAC: https://github.com/helm/helm/blob/master/docs/rbac.md

RBAC Terms

  • Subject: users, os processes, processes in pod, etc.
  • API resources: nodes, pods, services, etc.
  • Operations(Verbs): get, list, create, etc.

Create Namespace

Create namespace “test”:

kubectl create ns test

Create Role

Create a role with full access for “test” namespace.


kind: Role
apiVersion: rbac.authorization.k8s.io/v1
  name: test:admin
  namespace: test
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]


kubectl create -f test-admin-role.yml

Create RoleBinding

Create a role binding for “test” namespace and “test” group.


kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
  name: test:admin
  namespace: test
- kind: Group
  name: test
  apiGroup: ""
  kind: Role
  name: test:admin
  apiGroup: ""


kubectl create -f test-admin-bind.yml
John Siu
Minimize the Effort, Maximize the Effect!
comments powered by Disqus