VOOZH about

URL: https://thenewstack.io/a-practical-approach-to-understanding-kubernetes-authorization/

⇱ A Practical Approach to Understanding Kubernetes Authorization - The New Stack

TNS
SUBSCRIBE
Join our community of software engineering leaders and aspirational developers. Always stay in-the-know by getting the most important news and exclusive content delivered fresh to your inbox to learn more about at-scale software development.
REQUIRED
It seems that you've previously unsubscribed from our newsletter in the past. Click the button below to open the re-subscribe form in a new tab. When you're done, simply close that tab and continue with this form to complete your subscription.
The New Stack does not sell your information or share it with unaffiliated third parties. By continuing, you agree to our Terms of Use and Privacy Policy.
Welcome and thank you for joining The New Stack community!
Please answer a few simple questions to help us deliver the news and resources you are interested in.
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
Great to meet you!
Tell us a bit about your job so we can cover the topics you find most relevant.
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
Welcome!

We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.

What’s next?

Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.

Follow TNS on your favorite social media networks.

Become a TNS follower on LinkedIn.

Check out the latest featured and trending stories while you wait for your first TNS newsletter.

PREV
1 of 2
NEXT
VOXPOP
As a JavaScript developer, what non-React tools do you use most often?
Angular
0%
Astro
0%
Svelte
0%
Vue.js
0%
Other
0%
I only use React
0%
I don't use JavaScript
0%
Thanks for your opinion! Subscribe below to get the final results, published exclusively in our TNS Update newsletter:
NEW! Try Stackie AI
From clobbered drafts to real-time sync
Apr 14th 2026 10:00am, by David Moore
TypeScript 6.0 RC arrives as a bridge to a faster future
Mar 14th 2026 9:00am, by Darryl K. Taft
Mastra empowers web devs to build AI agents in TypeScript
Jan 28th 2026 11:00am, by Loraine Lawson
2019-08-14 03:00:18
A Practical Approach to Understanding Kubernetes Authorization
tutorial,
Kubernetes / Security

A Practical Approach to Understanding Kubernetes Authorization

A hands-on view of how authorization works in Kubernetes.
Aug 14th, 2019 3:00am by Janakiram MSV
👁 Featued image for: A Practical Approach to Understanding Kubernetes Authorization
Feature Photo by Alice Donovan Rouse on Unsplash.
This article is a part of the Kubernetes security series that started a few weeks ago. The first article covered the overview and background of Kubernetes access control while the second part introduced the core concepts of authentication. In this installment, we will understand the concepts of authorization through a hands-on approach.
Let’s start with a quick recap of the environment and the scenario. We are dealing with a cluster running in the production environment where each department is associated with a namespace. We have Bob, the new hire in the DevOps team that we just on-boarded to the cluster as an administrator for the engineering namespace. He has been handed over the key and the signed certificate to access the Kubernetes cluster. If you haven’t done so already, run the commands from the previous tutorial to complete the environment setup and configuring the credentials for Bob. It’s time for us to authorize Bob to control the resources belonging to the engineering namespace. We will first create a context for kubectl which makes it handy to switch between different environments. 
kubectl config set-context eng-context \
	--cluster=minikube \
	--namespace=engineering \
	--user=bob
Context "eng-context" created.
The above command created a new context pointing to the engineering namespace with Bob’s credentials within the minikube cluster. This results in a new section added to the ~/.kube/config file. 👁 Image
We will now create a simple pod within the engineering namespace: 
apiVersion: v1
kind: Pod
metadata:
 name: myapp
 namespace: engineering
 labels:
 app: myapp
spec:
 containers:
 - name: myapp
 image: busybox
 command: ["/bin/sh", "-ec", "while :; do echo '.'; sleep 5 ; done"]


 kubectl create -f myapp.yaml
pod/myapp created


kubectl get pods -n=engineering
NAME READY STATUS RESTARTS AGE
myapp 1/1 Running 0 89s
While you are able to create and manipulate the pods in the engineering namespace as the cluster administrator, Bob may not even be able to list the pods in the same namespace. 
kubectl get pods --namespace engineering --as bob
Error from server (Forbidden): pods is forbidden: User "bob" cannot list resource "pods" in API group "" in the namespace "engineering"
In order to allow Bob to access the resources in the engineering namespace, we need to authorize him. This is done by creating a role with appropriate permissions and then binding it to user Bob. Essentially, we are using Role Based Access Control (RBAC) to explicitly allow Bob to perform specific actions against certain Kubernetes resources within the engineering namespace. Create a Kubernetes role called eng-reader that has permissions to list pods in the engineering namespace. 
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 namespace: engineering 
 name: eng-reader
rules:
- apiGroups: [""] # "" indicates the core API group
 resources: ["pods", "services", "nodes"]
 verbs: ["get", "watch", "list"]


kubectl create -f role.yaml
role.rbac.authorization.k8s.io/eng-reader created


kubectl get roles --namespace=engineering
NAME AGE
eng-reader 58s
Notice that the role doesn’t have any reference to Bob. We will apply the permissions specified in the role to Bob by creating a role binding. The below steps will do this for us. 
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: eng-read-access
 namespace: engineering
subjects:
- kind: User
 name: bob # Name is case sensitive
 apiGroup: rbac.authorization.k8s.io
roleRef:
 kind: Role #this must be Role or ClusterRole
 name: eng-reader # this must match the name of the Role or ClusterRole you wish to bind to
 apiGroup: rbac.authorization.k8s.io


kubectl create -f role-binding.yaml
rolebinding.rbac.authorization.k8s.io/eng-read-access created


kubectl get rolebindings --namespace=engineering
NAME AGE
eng-read-access 31s
Let’s check if Bob is now able to access the pods. 
kubectl get pods --namespace engineering --as bob
NAME READY STATUS RESTARTS AGE
myapp 1/1 Running 0 11m
Since he is now associated with the eng-reader role, he gained the pod list permission. At this point, Bob has pretty limited access within the cluster. All he can do is to list pods within the engineering namespace. This in itself is not very useful for Bob. He curiously checks the number of nodes in the cluster, and to his disappointment, he is greeted with a forbidden error. 
kubectl get nodes --as bob
Error from server (Forbidden): nodes is forbidden: User "bob" cannot list resource "nodes" in API group "" at the cluster scope
Roles and role bindings in Kubernetes can be applied either at the namespace level or at the cluster level. We can now create a cluster role and an associated binding for Bob to enable him to list the nodes. 
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 # "namespace" omitted since ClusterRoles are not namespaced
 name: cluster-node-reader
rules:
- apiGroups: [""]
 resources: ["nodes"]
 verbs: ["get", "watch", "list"]


kubectl create -f cluster-role.yaml
clusterrole.rbac.authorization.k8s.io/cluster-node-reader created


kubectl get clusterroles cluster-node-reader
NAME AGE
cluster-node-reader 49s


kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: read-cluster-nodes
subjects:
- kind: User
 name: bob # Name is case sensitive
 apiGroup: rbac.authorization.k8s.io
roleRef:
 kind: ClusterRole
 name: cluster-node-reader
 apiGroup: rbac.authorization.k8s.io


kubectl create -f cluster-role-binding.yaml
clusterrolebinding.rbac.authorization.k8s.io/read-cluster-nodes created


kubectl get clusterrolebindings read-cluster-nodes
NAME AGE
read-cluster-nodes 35s
Now, Bob is all set to list the nodes within the cluster. 
kubectl get nodes --as bob
NAME STATUS ROLES AGE VERSION
minikube Ready master 52m v1.15.2
The objective of this walkthrough was to help you understand how roles and role bindings work in Kubernetes. In the last and final part of this series, we will explore service accounts. Stay tuned. Janakiram MSV’s Webinar series, “Machine Intelligence and Modern Infrastructure (MI2)” offers informative and insightful sessions covering cutting-edge technologies. Sign up for the upcoming MI2 webinar at http://mi2.live.
TRENDING STORIES
Janakiram MSV (Jani) is a practicing architect, research analyst, and advisor to Silicon Valley startups. He focuses on the convergence of modern infrastructure powered by cloud-native technology and machine intelligence driven by generative AI. Before becoming an entrepreneur, he spent...
Read more from Janakiram MSV
SHARE THIS STORY
TRENDING STORIES
SHARE THIS STORY
TRENDING STORIES
TNS DAILY NEWSLETTER Receive a free roundup of the most recent TNS articles in your inbox each day.
The New Stack does not sell your information or share it with unaffiliated third parties. By continuing, you agree to our Terms of Use and Privacy Policy.