19-Cluster-Roles.md

Cluster Roles

• Take me to Video Tutorial

In this section, we will take a look at cluster roles

Roles

• Roles and Rolebindings are namespaced meaning they are created within namespaces.

  

Namespaces

• Can you group or isolate nodes within a namespace?

  • No, those are cluster wide or cluster scoped resources. They cannot be associated to any particular namespace.

  

• So the resources are categorized as either namespaced or cluster scoped.

• To see namespaced resources

  $ kubectl api-resources --namespaced=true
  

• To see non-namespaced resources

  $ $ kubectl api-resources --namespaced=false
  

  

Cluster Roles and Cluster Role Bindings

• Cluster Roles are roles except they are for a cluster scoped resources. Kind as CLusterRole

  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
    name: cluster-administrator
  rules:
  - apiGroups: [""] # "" indicates the core API group
    resources: ["nodes"]
    verbs: ["get", "list", "delete", "create"]
  

  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRoleBinding
  metadata:
    name: cluster-admin-role-binding
  subjects:
  - kind: User
    name: cluster-admin
    apiGroup: rbac.authorization.k8s.io
  roleRef:
    kind: ClusterRole
    name: cluster-administrator
    apiGroup: rbac.authorization.k8s.io
  

  $ kubectl create -f cluster-admin-role.yaml
  $ kubectl create -f cluster-admin-role-binding.yaml
  

• You can create a cluster role for namespace resources as well. When you do that user will have access to these resources across all namespaces.

K8s Reference Docs

• https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole
• https://kubernetes.io/docs/reference/access-authn-authz/rbac/#command-line-utilities