Saiyam Pathak avatar
By Saiyam Pathak
Director of Technical Evangelism


With Civo academy, learn how to create (RBAC) Role Based Access Control for your Kubernetes cluster.



Hi, In this video, we'll be doing a demo on RBAC. We'll be creating a namespace, Role, service account, ClusterRoleBinding, and then we'll try to switch the context to see it in action. So let's get started.

Creating namespace and service account

I already have some commands prepared, and we'll execute them one by one. Firstly, you have to create a namespace. So, run the command kubectl create namespace. So a demo namespace is created. Now, let's create a service account. Run the command kubectl create sa sam -n demo. To verify, run the command kubectl get serviceaccount -n demo, and we can see that sam has been created.


Now we will talk about the ClusterRole. It is essential. There are four aspects and four objects that can be created: ClusterRole, ClusterRoleBinding, Role, and RoleBinding. Now, ClusterRole and ClusterRoleBinding can be used together. ClusterRole can be used with RoleBinding. The role cannot be used with ClusterRoleBinding.

Let's create a ClusterRole. So the command is kubectl create clusterrole cr --verb=get,list,watch,delete --resource=secrets,pods,deployments. We can give any name you want for the ClusterRole.


Then comes the verb. Now, verbs define the action that can be performed on the resources. So the verb is Get, List, Watch, Delete, in this case, and The verb actions will be performed on resources such as secrets, pods, and deployments. So the above ClusterRole says that a user who has this role would be able to get, list, watch, and delete several resources like secrets, pods, and deployment inside the Kubernetes cluster.

Creating a ClusterRoleBinding

Now, we have a namespace created. We have a service account created. We have a ClusterRole that says what actions can be performed on what resources. But to tie them together and assign a role to the service account, we need something called RoleBinding or ClusterRoleBinding. So, in this case, let's create a RoleBinding.

So, to create RoleBinding, we will run the command kubectl create rolebinding super --serviceaccount=demo:sam -n demo --clusterrole=cr. So in the service account, we give namespace, colon, and the service account name. So our namespace is "demo, and our service account name is sam. So we have given that. Then comes the namespace, this RoleBind, because RoleBinding is a namespace object. So we have to provide the namespace.

Then there is the ClusterRole. So this will be the ClusterRole that we just created, which is cr. So in this, we are binding this ClusterRole to this service account. So that's the type of binding that we are creating.

So now, we have created ClusterRole, a service account, and the RoleBinding that connects four of them. So let's create a few resources in the namespace by running the command kubectl run demo --image=nginx --serviceaccount=sam -n demo. So the pod is created. Verify it by running kubectl get pods -n demo. We will see that the pod is running.

Now, let's create a deployment. Run the command kubectl create deployment test --image=nginx -n demo. So the deployment is also created. We can verify the creation by running the command kubectl get deploy -n demo. So we have the deployment as well.

So now that the pod and the deployment are created, we will take the token of the service account named sam and store it as a token, and we'll set the credentials using this particular token. Hence, run the command TOKEN=$(kubectl describe secrets "$(kubectl describe serviceaccount sam -n demo| grep -i Tokens | awk '{print $2}')" -n demo | grep token: awk '{print $2}')" for storing it as a token and again, run the command kubectl config set-credentials test-user token=$TOKEN to see the credentials using the token. Also, we'll set the context with this particular token by using the command kubectl config set-context demo --cluster=kubernetes --user=test-user, in which the cluster will be Kubernetes. Then, we'll use this particular demo context by using the command kubernetes config use-context demo. Now, if we run kubectl get pods, it says forbidden, which is true because the kubectl commands we are running are associated with service account sam. The service account does not have the role to view, delete, or do anything in any other namespaces. It can only view the pods from the demo namespace. Run the command kubectl get pods -n demo, and you can see that we can see the pods in the demo namespace. Now, if you run kubectl get deploy -n demo namespace, we will be able to view, but we should not be able to see the services.

We can run kubectl get svc -n demo, and it will again say forbidden. So this particular service account can only do whatever role we just created and assigned to this particular service account. So, we have successfully created the service account, the namespace, service account, and ClusterRole, and assigned them to the service account using the RoleBinding. And we have created the credentials, the context, and now, when we use the context, we can see this shows RBAC in action.

So that's it for this lecture. Thank you for watching. See you in the next one.

Civo course complete badge

You've successfully completed our course on Kubernetes configuration and security

We hope you enjoyed learning and encourage you to check out our other courses to further expand your knowledge on Kubernetes