# Kubernetes RBAC and ABAC ![Kubernetes Authorization Models](/files/8Qo7gzEFPW41XSlvMosr) > **Intro:** Kubernetes authorization is where platform intent becomes operational reality. If identity is weak or authorization is too broad, every later control becomes less trustworthy. > > **What this page includes** > > * the difference between RBAC and ABAC > * the core Kubernetes objects involved > * practical YAML and policy examples > * rollout guidance and common mistakes > > **Working assumptions** > > * RBAC should be the normal model for day-to-day cluster authorization > * ABAC is mainly relevant in legacy or specialized control-plane situations > * least privilege must cover both humans and service accounts ## Quick comparison | Topic | RBAC | ABAC | | ----------------- | -------------------------------------------------- | ------------------------------------ | | Policy storage | Kubernetes API objects | local policy file on API server | | Change workflow | dynamic, via API | static-ish, file-based | | Main objects | Role, ClusterRole, RoleBinding, ClusterRoleBinding | JSON policy records | | Operational fit | modern, auditable, automatable | harder to scale and review | | Typical use today | default enterprise choice | legacy or narrowly constrained cases | ## RBAC fundamentals RBAC uses four primary objects: * **Role**: permissions within a namespace; * **ClusterRole**: cluster-scoped or reusable permissions; * **RoleBinding**: attaches a Role or ClusterRole to a subject in one namespace; * **ClusterRoleBinding**: attaches a ClusterRole across the cluster. ### Minimal read-only Role ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: app-readonly namespace: payments rules: - apiGroups: [""] resources: ["pods", "services", "configmaps"] verbs: ["get", "list", "watch"] ``` ### Bind the Role to a group ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: app-readonly-binding namespace: payments subjects: - kind: Group name: sre-readers apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: app-readonly apiGroup: rbac.authorization.k8s.io ``` See snippets: * [rbac-readonly-role.yaml](https://github.com/D3One/Product-Security-Gitbook/blob/main/snippets/k8s/rbac-readonly-role.yaml) * [rbac-bindings.yaml](https://github.com/D3One/Product-Security-Gitbook/blob/main/snippets/k8s/rbac-bindings.yaml) ## RBAC design guidance ### Good patterns * separate **view**, **operate**, and **admin** personas; * prefer namespace-scoped Roles first; * create reusable ClusterRoles only when needed; * bind groups rather than individual users where possible; * review ServiceAccount permissions just as carefully as human permissions. ### Common mistakes * binding `cluster-admin` for convenience; * sharing one ServiceAccount across many workloads; * granting secrets access to jobs that only need configmaps; * forgetting that controllers and operators may need narrowly scoped write permissions. ## ABAC fundamentals ABAC in Kubernetes is file-driven. Policies are evaluated from a file that contains one JSON object per line. ### Example ABAC policy line ```json {"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"alice","namespace":"payments","resource":"pods","readonly":true}} ``` This means: * the subject is `alice`; * the scope is namespace `payments`; * the target resource is `pods`; * access is read-only. See [abac-policy.jsonl](https://github.com/D3One/Product-Security-Gitbook/blob/main/snippets/k8s/abac-policy.jsonl) for a fuller example. ## Why ABAC is harder to operate ABAC can work, but it creates friction: * policy lives outside normal Kubernetes API workflows; * code review and inventory are harder unless you build strong file management around it; * blast radius is easy to underestimate when policy files grow organically; * migration and testing discipline are often weaker than with RBAC objects. ## When ABAC still appears * older self-managed clusters; * highly customized control plane deployments; * transitional migrations where RBAC is being phased in. ## How to test authorization Useful commands: ```bash kubectl auth can-i get pods -n payments --as=alice kubectl auth can-i create deployments -n payments --as=system:serviceaccount:payments:ci-bot kubectl auth reconcile -f rbac-readonly-role.yaml ``` ## Recommended rollout plan 1. inventory human identities, groups, and ServiceAccounts; 2. define common personas such as read-only, operator, deployment-bot, and admin; 3. implement namespace Roles first; 4. review escalations and wildcard rules; 5. add periodic access reviews to the platform cadence. ## Cross-links * [OPA and Policy Enforcement](/cloud-kubernetes-and-infrastructure-security/index-1/opa-and-policy-enforcement.md) * [Network Policy Patterns](/cloud-kubernetes-and-infrastructure-security/index-1/network-policy-patterns.md) * [AWS IAM and Role Design](/cloud-kubernetes-and-infrastructure-security/index/aws-iam-and-role-design.md) ![Footer](/files/fQNzMAKOWjRP989toSYF) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/cloud-kubernetes-and-infrastructure-security/index-1/kubernetes-rbac-and-abac.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.