{"id":8293,"date":"2023-12-09T00:23:17","date_gmt":"2023-12-09T00:23:17","guid":{"rendered":"https:\/\/cheapwindowsvps.com\/blog\/understanding-role-based-access-control-rbac-in-kubernetes\/"},"modified":"2025-01-20T11:43:14","modified_gmt":"2025-01-20T11:43:14","slug":"understanding-role-based-access-control-rbac-in-kubernetes","status":"publish","type":"post","link":"https:\/\/cheapwindowsvps.com\/blog\/understanding-role-based-access-control-rbac-in-kubernetes\/","title":{"rendered":"Understanding Role-Based Access Control (RBAC) in Kubernetes"},"content":{"rendered":"<div>In a previous post in this <a href=\"https:\/\/4sysops.com\/archives\/create-a-kubernetes-pod\/\" target=\"_blank\" rel=\"nofollow noopener\">Kubernetes guide<\/a>, you learned about deploying stateful applications with Kubernetes StatefulSets. Today, we will discuss role-based access control (RBAC) in Kubernetes, which controls who can access Kubernetes cluster resources. It uses roles and role bindings to grant permissions to subjects, such as users, groups, or service accounts.<\/div>\n<h2>Verify Kubernetes API supports RBAC<\/h2>\n<p>The first step is ensuring that RBAC is enabled in the Kubernetes API server. To do so, look at the &#8211;authorization-mode flag of the kube-apiserver YAML manifest.<\/p>\n<pre>sudo cat \/etc\/kubernetes\/manifests\/kube-apiserver.yaml | grep authorization-mode<\/pre>\n<div><a href=\"https:\/\/4sysops.com\/wp-content\/uploads\/2023\/12\/Ensuring-RBAC-is-enabled-in-the-Kubernetes-API-server.png\" target=\"_blank\" rel=\"nofollow noopener\">Ensuring RBAC is enabled in the Kubernetes API server<\/a><\/div>\n<p>You are good to go if you see RBAC listed as shown in the screenshot. Here, Node refers to node authorization mode, which authorizes API requests from kubelets, and RBAC denotes that RBAC is enabled. Once RBAC is enabled, it declares four object kinds in the Kubernetes cluster: Roles, RoleBinding, ClusterRoles, and ClusterRoleBinding. You can see these resources by running the <em>kubectl api-resources | grep role<\/em> command, as shown in the screenshot below:<\/p>\n<div><a href=\"https:\/\/4sysops.com\/wp-content\/uploads\/2023\/12\/Viewing-API-resources-in-Kubernetes.png\" target=\"_blank\" rel=\"nofollow noopener\">Viewing API resources in Kubernetes<\/a><\/div>\n<p>This command returns each object&#8217;s API version and kind, as shown in the screenshot above. Notice that <em>roles<\/em> and <em>rolebindings<\/em> are namespaced, meaning they only apply to the resources within the same namespace in which they are created. The <em>clusterroles<\/em> and <em>clusterrolebindings<\/em> objects<em>,<\/em> on the other hand, are not namespaced, which means they work clusterwide regardless of the namespace. You will understand them better in the next section.<\/p>\n<h2>Understanding a role<\/h2>\n<p>In Kubernetes, a role defines a set of rules that specifies which operations are allowed on what resources. For instance, the <em>role.yaml<\/em> configuration file below creates a <em>pod-reader<\/em> role in the default namespace.<\/p>\n<pre>apiVersion: rbac.authorization.k8s.io\/v1<\/pre>\n<p>kind: Role<\/p>\n<p>metadata:<\/p>\n<p>namespace: default<\/p>\n<p>name: pod-reader<\/p>\n<p>rules:<\/p>\n<p>&#8211; apiGroups: [&#8220;&#8221;]<\/p>\n<p>resources: [&#8220;pods&#8221;, &#8220;pods\/log&#8221;]<\/p>\n<p>verbs: [&#8220;get&#8221;, &#8220;watch&#8221;, &#8220;list&#8221;]<\/p>\n<p><a href=\"https:\/\/4sysops.com\/wp-content\/uploads\/2023\/12\/Viewing-a-role-manifest-in-Kubernetes.png\" target=\"_blank\" rel=\"nofollow noopener\">Viewing a role manifest in Kubernetes<\/a><\/p>\n<p>Representation of a role manifest in Kubernetes.<\/p>\n<p>The elements of a role manifest are:<\/p>\n<ul>\n<li><strong>apiVersion<\/strong> &#8211; This denotes the API version where the role is applicable.<\/li>\n<li><strong>kind<\/strong> &#8211; Specifies the kind of object, Role in this instance.<\/li>\n<li><strong>metadata<\/strong> &#8211; Details describing the role, including name and namespace. A valid namespace must be mentioned; if ignored, the default namespace will be employed.<\/li>\n<li><strong>rules<\/strong> &#8211; These are the regulations allowed by the role, with each having several subfields:<\/li>\n<\/ul>\n<ul>\n<li><strong>apiGroups<\/strong> &#8211; Refers to the groups of APIs linked to the resources. The &#8221; &#8221; represents the primary API group encompassing resources like pods, services, nodes, etc.<\/li>\n<li><strong>resources<\/strong> &#8211; Defines the resources to which the rules are applicable, including pods, services, and secrets.<\/li>\n<li><strong>verbs<\/strong> &#8211; Enlists the verbs allowed under the rule, these may include: list, get, watch, create, update, delete.<\/li>\n<\/ul>\n<p>Make note, the permissions not enlisted are implicitly denied, and the YAML file doesn&#8217;t allow the formulation of any denial rules.<\/p>\n<h2>Interpreting a role binding<\/h2>\n<p>In the previous section, we described a <em>pod-reader<\/em> role in the default namespace but didn&#8217;t associate it with any subject. The role will not do anything unless we bind it to a user, group, or service account. In Kubernetes, <em>role binding<\/em> associates a role with a subject to grant permissions defined in the role specification. The<em> rolebinding.yaml <\/em>file below binds a <em>role<\/em> with a <em>group<\/em> in the cluster.<\/p>\n<pre>apiVersion: rbac.authorization.k8s.io\/v1<\/pre>\n<p>kind: RoleBinding<\/p>\n<p>metadata:<\/p>\n<p>name: read-pods<\/p>\n<p>namespace: default<\/p>\n<p>subjects:<\/p>\n<p>&#8211; kind: Group<\/p>\n<p>name: developer<\/p>\n<p>apiGroup: rbac.authorization.k8s.io<\/p>\n<p>roleRef:<\/p>\n<p>kind: Role<\/p>\n<p>name: pod-reader<\/p>\n<p>apiGroup: rbac.authorization.k8s.io<\/p>\n<ul>\n<li><strong>apiVersion<\/strong>\u2014The API version of the role binding.<\/li>\n<li><strong>kind<\/strong>\u2014The object&#8217;s type, which is RoleBinding in this case.<\/li>\n<li><strong>metadata<\/strong>\u2014Data describing the role binding, such as its name and namespace. The namespace must match the one specified in the <em>role.yaml<\/em> file.<\/li>\n<li><strong>subjects<\/strong>\u2014A list of subjects, with the following subfields:<\/li>\n<\/ul>\n<ul>\n<li><strong>kind<\/strong>\u2014Specifies a User, Group, or ServiceAccount.<\/li>\n<li><strong>name<\/strong>\u2014Specifies the case-sensitive name of the user, group, or service account. In this case, the <em>developer<\/em> is the group name.<\/li>\n<li><strong>apiGroup<\/strong>\u2014Specifies the API group to which the role belongs. In our case, the <em>developer<\/em> group belongs to the <em>rbac.authorization.k8s.io <\/em>API group.<\/li>\n<\/ul>\n<ul>\n<li><strong>roleRef<\/strong>\u2014Specifies a role to which the binding refers. It has the following subfields:<\/li>\n<\/ul>\n<ul>\n<li><strong>kind<\/strong>\u2014Specifies the binding&#8217;s type, such as Role or ClusterRole.<\/li>\n<li><strong>name<\/strong>\u2014Specifies the name of the Role or ClusterRole to bind. In this case, we are defining a binding for the <em>pod-reader<\/em> role.<\/li>\n<li><strong>apiGroup<\/strong>\u2014Specifies the API group of the role to which the <em>roleRef<\/em> field refers. It must be <em>rbac.authorization.k8s.io, <\/em>because the <em>Role<\/em> and <em>ClusterRole<\/em> resources exist in this API group.<\/li>\n<\/ul>\n<p>Keep in mind, the <em>roleRef<\/em> field is unchangeable, indicating it can&#8217;t be modified once the role binding is established. Alteration of this field calls for the deletion and re-establishment of the role binding object.<\/p>\n<h2>Cluster role and cluster role binding<\/h2>\n<p>Above-mentioned <em>role<\/em> and role binding are limited to the namespace in which they&#8217;re made. For instance, we put forth a <em>pod-reader<\/em> role in the default namespace and connected it with the <em>developer<\/em> group via a role binding. Consequently, only the developer group members can access Pods in the default namespace.<\/p>\n<p>What if there&#8217;s a need to grant certain users (for example, security admins or auditors) the rights to access Pods in all namespaces (including the kube-system namespace)? Creating a separate role and role binding for every namespace isn&#8217;t efficient. Hence, <em>cluster role<\/em> and <em>cluster role binding<\/em> are introduced. They operate similarly to roles and bindings, but their scope expands to the whole cluster. Here&#8217;s a configuration that outlines a <em>clusterrole.yaml<\/em> file:<\/p>\n<pre>apiVersion: rbac.authorization.k8s.io\/v1<\/pre>\n<p>kind: ClusterRole<\/p>\n<p>metadata:<\/p>\n<p>name: global-pod-reader<\/p>\n<p>rules:<\/p>\n<p>&#8211; apiGroups: [&#8220;&#8221;]<\/p>\n<p>resources: [&#8220;pods&#8221;, &#8220;pods\/log&#8221;]<\/p>\n<p>verbs: [&#8220;get&#8221;, &#8220;watch&#8221;, &#8220;list&#8221;]<\/p>\n<p><a href=\"https:\/\/4sysops.com\/wp-content\/uploads\/2023\/12\/Viewing-a-cluster-role-manifest-in-Kubernetes.png\" target=\"_blank\" rel=\"nofollow noopener\">Viewing a cluster role manifest in Kubernetes<\/a><\/p>\n<p>Here, the kind is set to ClusterRole, and the namespace is not specified because cluster roles work cluster-wide. Similarly, see the <em>clusterrolebinding.yaml<\/em> file below.<\/p>\n<pre>apiVersion: rbac.authorization.k8s.io\/v1<\/pre>\n<p>kind: ClusterRoleBinding<\/p>\n<p>metadata:<\/p>\n<p>name: read-pods-global<\/p>\n<p>subjects:<\/p>\n<p>&#8211; kind: Group<\/p>\n<p>name: security<\/p>\n<p>apiGroup: rbac.authorization.k8s.io<\/p>\n<p>roleRef:<\/p>\n<p>kind: ClusterRole<\/p>\n<p>name: global-pod-reader<\/p>\n<p>apiGroup: rbac.authorization.k8s.io<\/p>\n<div><\/div>\n<p>Viewing a cluster role binding manifest in Kubernetes<\/p>\n<p>Here, the <em>subjects<\/em> field specifies a group named <em>security<\/em>, and the <em>roleRef<\/em> field binds to the <em>global-pod-reader<\/em> cluster role defined in the <em>clusterrole.yaml<\/em> file. Once the cluster role and cluster role binding are created, they grant <em>security<\/em> group members access to Pods in all cluster namespaces.<\/p>\n<h2>Understanding the kubeconfig file<\/h2>\n<p>Now that you understand the roles and bindings, let me introduce you to the kubeconfig (kubernetes configuration) YAML file. Setting up a Kubernetes cluster with Kubeadm generates a kubeconfig file for the <em>admin<\/em> user on the control plane node at <em>~\/.kube\/config<\/em> location. This file contains vital information to authenticate against the Kubernetes API.<\/p>\n<div><\/div>\n<p>Viewing the Kubernetes configuration (kubeconfig) file for the admin<\/p>\n<p>As shown in the screenshot above, a kubeconfig file contains the following fields:<\/p>\n<ul>\n<li><strong>Clusters\u2014<\/strong>Contains a list of clusters that the user can access. Each cluster has a name, a server address, and base64-encoded certificate authority (CA) data.<\/li>\n<li><strong>Users\u2014<\/strong>Specifies a list of users who can authenticate to the clusters. Each user has a name, client certificate, and private key data in base64-encoded form.<\/li>\n<li><strong>Contexts\u2014<\/strong>Specifies a list of contexts. A context is a way of setting different cluster configurations and switching between them. It has a name, cluster name, user name, and a namespace.<\/li>\n<li><strong>Current-context\u2014<\/strong>This field defines the default context name for running kubectl commands.<\/li>\n<\/ul>\n<p>You can share this kubeconfig file with other admins to give them full access to your Kubernetes cluster. However, you might want to grant more granular permissions on a production cluster to avoid potential issues.<\/p>\n<h2>Generate a kubeconfig file for a user<\/h2>\n<p>Kubernetes has no built-in user management functionality, so you must rely on external providers like AWS IAM or Keycloak for user management. For demo purposes in this post, I will create a regular Linux user on a Ubuntu VM and generate a kubeconfig file for that user.<\/p>\n<p>First, connect to the VM, create a user account, and add it to the sudo group using the following commands:<\/p>\n<pre>sudo adduser john<\/pre>\n<p>sudo usermod -aG sudo john<\/p>\n<p><a href=\"https:\/\/4sysops.com\/wp-content\/uploads\/2023\/12\/Creating-a-user-account-and-adding-it-to-the-sudo-group-in-Ubuntu.png\" target=\"_blank\" rel=\"nofollow noopener\">Creating a user account and adding it to the sudo group in Ubuntu<\/a><\/p>\n<p>Now log in with the new user account on the VM and generate a certificate signing request (CSR) and private key with the <em>openssl<\/em> command as shown below:<\/p>\n<pre>openssl req -new -newkey rsa:4096 -nodes -keyout john.key -out john.csr -subj \"\/CN=john\/O=developer\"<\/pre>\n<p><a href=\"https:\/\/4sysops.com\/wp-content\/uploads\/2023\/12\/Generating-a-certificate-signing-request-and-private-key-with-the-openssl-command.png\" target=\"_blank\" rel=\"nofollow noopener\">Generating a certificate signing request and private key with the openssl command<\/a><\/p>\n<p>This command generates a new CSR file named <em>john.csr<\/em> and a private key named <em>john.key<\/em> in the home directory. The <em>-subj<\/em> parameter is essential here, as it defines the user&#8217;s common name and group membership. Remember the <em>rolebinding.yaml<\/em> file we created earlier, where we specified a <em>developer<\/em> group? Here, we declare the <em>john<\/em> user account a member of the <em>developer<\/em> group with the <em>-subj<\/em> option.<\/p>\n<p>Now, you need to send the CSR file to your Kubernetes admin so that they can generate a certificate signed by the cluster certificate authority (CA).<\/p>\n<p>That&#8217;s all we need to do on the Ubuntu VM for now. Let&#8217;s switch back to the control plane node.<\/p>\n<p>Make sure you have the CSR file on the control plane node. I will use the <em>scp<\/em> command to copy the CSR file from the Ubuntu VM.<\/p>\n<pre>scp john@ubuntu-vm.testlab.local:~\/john.csr .<\/pre>\n<p><a href=\"https:\/\/4sysops.com\/wp-content\/uploads\/2023\/12\/Copying-the-certificate-signing-request-file-to-the-control-plane-node.png\" target=\"_blank\" rel=\"nofollow noopener\">Copying the certificate signing request file to the control plane node<\/a><\/p>\n<p>Next, use the CSR file to generate a certificate. To sign the certificate with the cluster CA, type the path of the CA certificate and private key, as shown in the command below:<\/p>\n<pre>sudo openssl x509 -req -in john.csr -CA \/etc\/kubernetes\/pki\/ca.crt -CAkey \/etc\/kubernetes\/pki\/ca.key -CAcreateserial -out john.crt -days 365<\/pre>\n<div><a href=\"https:\/\/4sysops.com\/wp-content\/uploads\/2023\/12\/Generate-a-certificate-signed-by-the-cluster-certificate-authority.png\" target=\"_blank\" rel=\"nofollow noopener\">Generate a certificate signed by the cluster certificate authority<\/a><\/div>\n<p>Generate a certificate signed by the cluster certificate authority<\/p>\n<p>This command creates a certificate file named <em>john.crt <\/em>signed by the cluster CA.<\/p>\n<p>Send this certificate file to the user account along with the Kube API server URL and CA certificate file (located at <em>\/etc\/kubernetes\/pki\/ca.crt<\/em> on the control plane node). I will use <em>scp<\/em> to copy both certificate files to the Ubuntu VM.<\/p>\n<pre>scp {john.crt,\/etc\/kubernetes\/pki\/ca.crt} john@ubuntu-vm.testlab.local:~<\/pre>\n<p>Now, switch back to the Ubuntu VM, where you are already logged in with the <em>John<\/em> user account.<\/p>\n<p>Ensure you have the certificate file and the CA certificate.<\/p>\n<p><a href=\"https:\/\/4sysops.com\/wp-content\/uploads\/2023\/12\/Ensuring-that-the-certificate-and-private-key-files-are-handy.png\" target=\"_blank\" rel=\"nofollow noopener\">Ensuring that the certificate and private key files are handy<\/a><\/p>\n<p>The next step is to install the <em>kubectl<\/em> tool on the VM. To do so, run these commands in the same order:<\/p>\n<pre><\/pre>\n<p>sudo apt install -y apt-transport-https ca-certificates curl<\/p>\n<p>curl -fsSL https:\/\/pkgs.k8s.io\/core:\/stable:\/v1.28\/deb\/Release.key | sudo gpg &#8211;dearmor -o \/etc\/apt\/keyrings\/kubernetes-apt-keyring.gpg<\/p>\n<p>echo &#8216;deb [signed-by=\/etc\/apt\/keyrings\/kubernetes-apt-keyring.gpg] https:\/\/pkgs.k8s.io\/core:\/stable:\/v1.28\/deb\/ \/&#8217; | sudo tee \/etc\/apt\/sources.list.d\/kubernetes.list<\/p>\n<p>sudo apt update &amp;&amp; sudo apt install -y kubectl<\/p>\n<p>The <em>kubectl<\/em> tool aids in creating a kubeconfig file and establishes communication with the Kubernetes cluster.<\/p>\n<p>After the installation of kubectl is complete, a kubeconfig file can be generated by executing the undermentioned <em>kubectl config<\/em> commands:<\/p>\n<pre><\/pre>\n<p># Set cluster parameters in the kubeconfig file<\/p>\n<p>kubectl config set-cluster kubernetes &#8211;certificate-authority=ca.crt &#8211;embed-certs=true &#8211;server=https:\/\/192.168.0.40:6443<\/p>\n<p># Establish user credentials in the kubeconfig file<\/p>\n<p>kubectl config set-credentials john &#8211;client-certificate=john.crt &#8211;client-key=john.key &#8211;embed-certs=true<\/p>\n<p># Set context in the kubeconfig file<\/p>\n<p>kubectl config set-context john@kubernetes &#8211;cluster=kubernetes &#8211;user=john &#8211;namespace=default<\/p>\n<p>kubectl config set current-context john@kubernetes<\/p>\n<div><a href=\"https:\/\/4sysops.com\/wp-content\/uploads\/2023\/12\/Creating-a-kubeconfig-file-with-the-kubectl-tool.png\" target=\"_blank\" rel=\"nofollow noopener\">Creating a kubeconfig file with the kubectl tool<\/a><\/div>\n<p>Creating a kubeconfig file with the kubectl tool<\/p>\n<p>The first command sets the cluster parameters, such as the cluster name (kubernetes), CA certificate (<em>ca.crt<\/em>), and Kube API server URL, in the kubeconfig file at the default location (i.e., <em>~\/.kube\/config<\/em>). To specify an alternative location for the kubeconfig file, use the <em>&#8211;kubeconfig<\/em> parameter.<\/p>\n<p>The second command sets the user credentials, specifying the user name (<em>john<\/em>), certificate (<em>john.crt<\/em>), and private key (<em>john.key<\/em>). The <em>&#8211;embed-certs<\/em> parameter stores the certificate data within the <em>kubeconfig<\/em> file in base64-encoded form, which makes the kubeconfig file portable. After running this command, you can delete the original <em>john.crt<\/em> and <em>john.key<\/em> files.<\/p>\n<p>The third command defines the context by specifying the context name (john@kubernetes), cluster name (kubernetes), user name (john), and namespace (default).<\/p>\n<p>The fourth command sets the default context for the kubectl tool. You can switch between contexts with the <em>kubectl config use-context &lt;context-name&gt;<\/em> command if there are multiple contexts in the kubeconfig file.<\/p>\n<p>After running these commands, your kubeconfig file is ready.<\/p>\n<p><a href=\"https:\/\/4sysops.com\/wp-content\/uploads\/2023\/12\/Viewing-the-Kubernetes-configuration-(kubeconfig)-file-for-the-user.png\" target=\"_blank\" rel=\"nofollow noopener\">Viewing the Kubernetes configuration (kubeconfig) file for the user<\/a><\/p>\n<p>The screenshot shows that the kubeconfig file looks similar to the admin, except that the user is <em>john<\/em>, who can now successfully authenticate against the Kube API server.<\/p>\n<p>At this point, if the user (<em>john<\/em>) tries to run the <em>kubectl get pods<\/em> command, he will get a &#8220;forbidden&#8221; error.<\/p>\n<p>The error occurs due to the user being authenticated, but he is not yet authorized to perform any action on the cluster resources. The Kubernetes admin needs to assign permissions to the user. We created the configuration files for the role and role binding but haven&#8217;t applied them yet.<\/p>\n<h2>Create a role and role binding<\/h2>\n<p>To create a role and role binding, use the <em>kubectl apply<\/em> command, as shown below:<\/p>\n<pre>kubectl apply -f role.yaml<\/pre>\n<p>kubectl apply -f rolebinding.yaml<\/p>\n<p>kubectl get role,rolebinding<\/p>\n<p><a href=\"https:\/\/4sysops.com\/wp-content\/uploads\/2023\/12\/Creating-a-role-and-role-binding-in-Kubernetes.png\" target=\"_blank\" rel=\"nofollow noopener\">Creating a role and role binding in Kubernetes<\/a><\/p>\n<p>After creating the role and role binding, the user will be able to access Pods in the default namespace.<\/p>\n<pre>kubectl get pods<\/pre>\n<p><a href=\"https:\/\/4sysops.com\/wp-content\/uploads\/2023\/12\/Viewing-Pods-in-the-default-namespace-with-the-new-user.png\" target=\"_blank\" rel=\"nofollow noopener\">Viewing Pods in the default namespace with the new user<\/a><\/p>\n<p>The screenshot shows that the user can see the Pods in the default namespace. Let&#8217;s find out if he can also access Pods in the <em>kube-system<\/em> namespace.<\/p>\n<pre>kubectl get pods -n kube-system<\/pre>\n<div><a href=\"https:\/\/4sysops.com\/wp-content\/uploads\/2023\/12\/Viewing-Pods-in-the-kube-system-namespace-with-the-new-user.png\" target=\"_blank\" rel=\"nofollow noopener\">Viewing Pods in the kube-system namespace with the new user<\/a><\/div>\n<p>The user received a forbidden error again because he wasn&#8217;t allowed access to Pods in the <em>kube-system<\/em> namespace. To allow him access, you need to create a role and role binding specifically in the <em>kube-system<\/em> namespace or create a cluster role and cluster role binding to give him cluster-wide access.<\/p>\n<h2>Check authorization actions<\/h2>\n<p>So far, we have created a new user account and granted the user read access to Pods in the default namespace. How does the user know what he is authorized to do in the cluster? The <em>kubectl auth can-i<\/em> command is helpful for this. To see if you are allowed to view Pods in the default namespace, use the following command:<\/p>\n<pre>kubectl auth can-i get pods --namespace default<\/pre>\n<p>To see if you have the ability to view the logs of the Pods, you would need to run the following command:<\/p>\n<pre>kubectl auth can-i get pods --subresource=log<\/pre>\n<p>In order to determine if you possess the authorization to create Pods located within a production namespace, you should execute this command:<\/p>\n<pre>kubectl auth can-i create pods --namespace production<\/pre>\n<div><a href=\"https:\/\/4sysops.com\/wp-content\/uploads\/2023\/12\/Confirming-an-action-is-allowed-for-the-user-in-Kubernetes.png\" target=\"_blank\" rel=\"nofollow noopener\">Confirming an action is allowed for the user in Kubernetes<\/a><\/div>\n<p>Confirming an action is allowed for the user in Kubernetes<\/p>\n<p>These commands return either <em>yes<\/em> or <em>no<\/em>, so you know whether an action is permitted.<\/p>\n<div>\n<h2>Subscribe to 4sysops newsletter!<\/h2>\n<\/div>\n<h2>Conclusion<\/h2>\n","protected":false},"excerpt":{"rendered":"<p>In a previous post in this Kubernetes guide, you learned about deploying stateful applications with Kubernetes StatefulSets. Today, we will discuss role-based access control (RBAC) in Kubernetes, which controls who can access Kubernetes cluster resources. It uses roles and role bindings to grant permissions to subjects, such as users, groups, or service accounts. Verify Kubernetes [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":8294,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[92,95,132],"tags":[],"class_list":["post-8293","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles","category-devops","category-kubernetes"],"_links":{"self":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/8293","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/comments?post=8293"}],"version-history":[{"count":1,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/8293\/revisions"}],"predecessor-version":[{"id":10472,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/8293\/revisions\/10472"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/media\/8294"}],"wp:attachment":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/media?parent=8293"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/categories?post=8293"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/tags?post=8293"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}