RoleBindings and ClusterRoleBindings

Roles and ClusterRoles define what actions are permitted, but they do nothing on their own. You need a RoleBinding or ClusterRoleBinding to attach those permissions to actual users, groups, or ServiceAccounts.

RoleBinding

A RoleBinding grants the permissions defined in a Role to subjects within a specific namespace.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods-binding
  namespace: development
subjects:
  - kind: User
    name: jane
    apiGroup: rbac.authorization.k8s.io
  - kind: Group
    name: dev-team
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

The subjects field accepts three kinds: User, Group, and ServiceAccount.

ClusterRoleBinding

A ClusterRoleBinding grants cluster-wide permissions across all namespaces.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-node-viewer
subjects:
  - kind: ServiceAccount
    name: monitoring-sa
    namespace: monitoring
roleRef:
  kind: ClusterRole
  name: node-viewer
  apiGroup: rbac.authorization.k8s.io

Binding a ClusterRole at Namespace Scope

You can use a RoleBinding to reference a ClusterRole. This grants the ClusterRole permissions only within the RoleBinding's namespace, which is useful for reusing a common set of rules.

# Bind a ClusterRole to a user in a specific namespace
kubectl create rolebinding dev-view \
  --clusterrole=view \
  --user=jane \
  -n development

Managing Bindings with kubectl

# List RoleBindings in a namespace
kubectl get rolebindings -n development

# List all ClusterRoleBindings
kubectl get clusterrolebindings

# Create a ClusterRoleBinding imperatively
kubectl create clusterrolebinding ops-admin \
  --clusterrole=cluster-admin \
  --group=ops-team

# Describe a binding to see its details
kubectl describe rolebinding read-pods-binding -n development

Key Takeaways