Overview
Kubernetes Role-Based Access Control (RBAC) is a form of identity and access management (IAM) that involves a set of permissions or template that determines who (subjects) can execute what (verbs), where (namespaces). RBAC is an evolution from the traditional attribute-based access control (ABAC)—which grants access based on user name rather than user responsibilities.
What is Kubernetes?
Kubernetes (also known as k8s or kube) is an open source container orchestration platform that automates many of the manual processes involved in deploying, managing, and scaling containerized applications.
When managed by Kubernetes, Linux containers give microservice-based apps an ideal application deployment unit and self-contained execution environment. And because Kubernetes deployments are written in YAML, the code is human-readable.
What are roles?
Roles grant various levels of access to pods and nodes. Roles can be authorized to access a specific group of clusters working together as an application workload (known simply as as roles) or entire clusters (known as cluster roles).
- Roles grant permission to virtually linked groups of clusters known as namespaces. Roles are a type of namespaced resource because user access to a workload is determined by what clusters are included in the specific namespace. Users, groups of users, or service account names can be consolidated into a single role through role binding.
- Cluster roles grant permission to entire clusters, which are groups of individual hardware nodes. Cluster roles can span multiple namespaces. Cluster role binding ties a cluster role to every namespace in a cluster. For example, the cluster administrator cluster role name has unfettered access to all clusters.
Role binding and cluster role permissions can be combined and stacked using metadata. This grants permissions defined in a cluster role to resources inside the role binding's namespace—helping define common roles across a cluster that can be reused across multiple namespaces.
How does Kubernetes RBAC work?
The Kubernetes application programming interface (API) is the front end of the Kubernetes control plane. The Kubernetes API communicates interactions with a computer or system to retrieve information or perform a function.
Kubernetes RBAC collects related function requests into API groups, which communicate with API servers when connecting certain roles to API endpoints.
For more information on using Kubernetes RBAC—including Kubernetes documentation, rbac.authorization.k8s.io authentication, the kubectl command line tool, add-ons, kubelet TLS bootstrapping, and setting up network policies, visit the open source project's RBAC docs.
Why Red Hat?
Red Hat was one of the first companies to work with Kubernetes’ creator—Google—on the project even prior to launch. Since then, it has become the 2nd leading contributor to the Kubernetes upstream project and became one of the first to market with an enterprise Kubernetes platform.
Red Hat® OpenShift® is Kubernetes for the enterprise, including all the extra pieces of technology that make Kubernetes more powerful and viable. These components include networking, authentication, monitoring, security, and automation, among others.
Unlike other vendor platforms that require proprietary components—as well as complex processes—Red Hat OpenShift is a single, integrated platform for operations and development teams, validating popular storage and networking plug-ins for Kubernetes and including built-in monitoring, logging, and analytics solutions.
Building on a foundation of OpenShift, you can use Red Hat Advanced Cluster Management and Red Hat Ansible® Automation Platform together to efficiently deploy and manage multiple Kubernetes clusters across environments.