> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ankra.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Kubernetes RBAC

> Manage Roles, ClusterRoles, RoleBindings, ClusterRoleBindings, and ServiceAccounts in Ankra

<Note>
  The RBAC (Role-Based Access Control) section helps you understand and manage access control in your Kubernetes cluster.
</Note>

## Overview

Kubernetes RBAC controls who can do what in your cluster:

* **Roles** - Namespace-scoped permissions
* **ClusterRoles** - Cluster-wide permissions
* **RoleBindings** - Grant Roles to users/groups in a namespace
* **ClusterRoleBindings** - Grant ClusterRoles cluster-wide
* **ServiceAccounts** - Identities for pods and services

***

## Accessing RBAC Resources

Navigate to your cluster and click **Kubernetes** in the sidebar. RBAC resources include:

| Resource            | Path                               |
| ------------------- | ---------------------------------- |
| Roles               | Kubernetes → Roles                 |
| ClusterRoles        | Kubernetes → Cluster Roles         |
| RoleBindings        | Kubernetes → Role Bindings         |
| ClusterRoleBindings | Kubernetes → Cluster Role Bindings |
| ServiceAccounts     | Kubernetes → Service Accounts      |

***

## Roles and ClusterRoles

Roles define **what** actions are allowed on **which** resources.

### Roles (Namespace-scoped)

Roles grant permissions within a specific namespace.

| Column    | Description                 |
| --------- | --------------------------- |
| Name      | Role name                   |
| Namespace | Namespace where role exists |
| Rules     | Number of permission rules  |
| Age       | Time since creation         |

### ClusterRoles (Cluster-wide)

ClusterRoles grant permissions across all namespaces or on cluster-scoped resources.

| Column      | Description                       |
| ----------- | --------------------------------- |
| Name        | ClusterRole name                  |
| Rules       | Number of permission rules        |
| Aggregation | Whether it aggregates other roles |
| Age         | Time since creation               |

### Rule Details

Click a Role or ClusterRole to view its rules:

| Field              | Description                                                         |
| ------------------ | ------------------------------------------------------------------- |
| **API Groups**     | Which API groups (`""` for core, `apps`, `batch`, etc.)             |
| **Resources**      | Resource types (`pods`, `deployments`, `secrets`, etc.)             |
| **Verbs**          | Allowed actions (`get`, `list`, `create`, `update`, `delete`, etc.) |
| **Resource Names** | Specific resource names (optional)                                  |

### Common Verbs

| Verb               | Description                |
| ------------------ | -------------------------- |
| `get`              | Read a single resource     |
| `list`             | List resources             |
| `watch`            | Watch for changes          |
| `create`           | Create new resources       |
| `update`           | Modify existing resources  |
| `patch`            | Partially update resources |
| `delete`           | Remove resources           |
| `deletecollection` | Delete multiple resources  |

### Built-in ClusterRoles

| Role            | Description               |
| --------------- | ------------------------- |
| `cluster-admin` | Full cluster access       |
| `admin`         | Full namespace access     |
| `edit`          | Read/write most resources |
| `view`          | Read-only access          |

***

## RoleBindings and ClusterRoleBindings

Bindings connect Roles to users, groups, or service accounts.

### RoleBindings (Namespace-scoped)

Grant a Role's permissions within a specific namespace.

| Column    | Description                        |
| --------- | ---------------------------------- |
| Name      | Binding name                       |
| Namespace | Namespace where binding applies    |
| Role      | Referenced Role or ClusterRole     |
| Subjects  | Users, groups, or service accounts |
| Age       | Time since creation                |

### ClusterRoleBindings (Cluster-wide)

Grant a ClusterRole's permissions across all namespaces.

| Column   | Description                        |
| -------- | ---------------------------------- |
| Name     | Binding name                       |
| Role     | Referenced ClusterRole             |
| Subjects | Users, groups, or service accounts |
| Age      | Time since creation                |

### Subject Types

| Type               | Description                |
| ------------------ | -------------------------- |
| **User**           | Individual user identity   |
| **Group**          | Group of users             |
| **ServiceAccount** | Kubernetes service account |

### Binding Details

Click a binding to view:

* **Role Reference** - The Role or ClusterRole being granted
* **Subjects** - Who receives the permissions

***

## ServiceAccounts

ServiceAccounts provide identities for pods and applications.

### Viewing ServiceAccounts

| Column    | Description                  |
| --------- | ---------------------------- |
| Name      | ServiceAccount name          |
| Namespace | Kubernetes namespace         |
| Secrets   | Number of associated secrets |
| Age       | Time since creation          |

### ServiceAccount Details

Click a ServiceAccount to view:

* **Secrets** - Associated token secrets
* **Image Pull Secrets** - Registry credentials
* **Automount Token** - Whether token is auto-mounted to pods
* **Used By** - Pods using this service account

### Default ServiceAccount

Every namespace has a `default` ServiceAccount. Pods use it unless another is specified:

```yaml theme={null}
spec:
  serviceAccountName: my-service-account
```

***

## Common Patterns

### Viewing Who Has Access

1. Navigate to **ClusterRoleBindings** or **RoleBindings**
2. Search for bindings referencing a specific role
3. View the **Subjects** to see who has that role

### Checking a ServiceAccount's Permissions

1. Find the ServiceAccount in **Service Accounts**
2. Navigate to **RoleBindings** and **ClusterRoleBindings**
3. Filter for bindings where the subject is this ServiceAccount
4. View the referenced Roles to see granted permissions

### Least Privilege Principle

When creating new roles:

1. Start with minimal permissions
2. Add specific verbs and resources as needed
3. Use Roles instead of ClusterRoles when possible
4. Avoid wildcard (`*`) permissions in production

***

## RBAC Examples

### Read-only Access to Pods

```yaml theme={null}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
  namespace: default
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
```

### Deployment Manager

```yaml theme={null}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: deployment-manager
  namespace: default
rules:
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
```

### Binding to a ServiceAccount

```yaml theme={null}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: deployment-manager-binding
  namespace: default
subjects:
- kind: ServiceAccount
  name: deploy-bot
  namespace: default
roleRef:
  kind: Role
  name: deployment-manager
  apiGroup: rbac.authorization.k8s.io
```

***

## Troubleshooting RBAC

### "Forbidden" Errors

When you see `Error from server (Forbidden)`:

1. Check which user/ServiceAccount is making the request
2. Find bindings for that subject
3. Verify the Role includes the necessary verb and resource
4. Check the correct namespace for RoleBindings

### Debugging Steps

1. **Check the user/SA:**
   * What identity is making the request?

2. **Find bindings:**
   * Search RoleBindings/ClusterRoleBindings for the subject

3. **Check the Role:**
   * Verify rules include the required verb + resource

4. **Namespace scope:**
   * Is it a namespaced resource? Is the RoleBinding in the right namespace?

***

## Tips

<Tip>
  **Use Groups:** Bind roles to groups rather than individual users for easier management.
</Tip>

<Tip>
  **Audit Bindings:** Regularly review ClusterRoleBindings for `cluster-admin` access.
</Tip>

<Tip>
  **Namespace Isolation:** Use Roles and RoleBindings to isolate teams to their namespaces.
</Tip>

<Tip>
  **Service Account Tokens:** Disable automounting of tokens for pods that don't need cluster access.
</Tip>

***

Still have questions? [Join our Slack community](https://join.slack.com/t/ankra-community/shared_invite/zt-3a5rem8f8-cUho4epX2MoLT83bFf~VSA) and we'll help out.
