CKA Day 23 — Kubernetes RBAC Explained
Day 23 of the Tech Tutorials with Piyush 40-day CKA course. A hands-on deep-dive into namespace-scoped Role-Based Access Control: creating Roles, RoleBindings, testing permissions with kubectl auth can-i, and wiring a new user into kubeconfig.
Key Takeaways
RBAC End-to-End Workflow — The video demonstrates the complete cycle from user creation to permission enforcement: (1) create a user with client certificates and CSR, (2) create a Role defining allowed verbs/resources, (3) create a RoleBinding attaching the Role to the user, (4) verify with kubectl auth can-i, and (5) switch kubeconfig context to run commands as the new user.
Roles and RoleBindings (Namespace-Scoped) — A Role defines a set of rules (apiGroups, resources, verbs) within a single Namespace. A RoleBinding binds that Role to one or more subjects (User, Group, or ServiceAccount). The video creates a pod-reader Role granting get, list, watch on pods, then binds it to a new user “Krishna” via a read-pods RoleBinding. Without the Binding, the Role exists but grants no access.
API Groups: Core vs Named — Kubernetes resources belong to API groups. The “core” group has no suffix (e.g., v1 for Pods, Services, ConfigMaps) and is referenced in RBAC as "" (empty string). Named groups include apps (Deployments, DaemonSets), rbac.authorization.k8s.io (Roles, Bindings), networking.k8s.io (Ingress, NetworkPolicies), etc. The video clarifies that apiGroups: [""] in a Role means “core group resources only.”
Imperative RBAC Commands — For exam speed, roles and bindings can be generated without hand-writing YAML:
kubectl create role pod-reader --verb=get,list,watch --resource=pods --dry-run=client -o yamlkubectl create rolebinding read-pods --role=pod-reader --user=krishna --dry-run=client -o yaml
Testing Permissions with auth can-i — The kubectl auth can-i <verb> <resource> --as <user> command impersonates a user to test their permissions without logging in as them. Before creating the RoleBinding, kubectl auth can-i get pods --as krishna returns no; after binding, it returns yes. This is the fastest way to debug RBAC on the CKA exam.
Kubeconfig Credential Setup — To use a new user identity with kubectl, three kubectl config commands are required:
kubectl config set-credentials <user> --client-certificate=<path> --client-key=<path>— embeds the user’s certificate/key into the kubeconfig filekubectl config set-context <context-name> --cluster=<cluster> --user=<user>— creates a context tuplekubectl config use-context <context-name>— switches the active context After switching,kubectl config viewshows the new user and context embedded in~/.kube/config.
Certificate Expiry Trap — The video encounters a real-world certificate expiry issue: the “Adam” user certificate created in Day 21 had expired (validity set to 1 day). The presenter regenerates the certificate by creating a new CSR, approving it, and extracting the signed certificate data. This reinforces why production certificates need longer validity periods and renewal processes.
Counting Objects for the Exam — A common CKA task asks for the number of roles or bindings. Use --no-headers to suppress column headers and pipe to wc -l:
kubectl get roles --no-headers | wc -l
Direct REST API Access with curl — The video demonstrates calling the Kubernetes API server directly via curl instead of using kubectl. The command targets https://<control-plane-ip>:6443/api/v1/namespaces/default/pods and passes --key, --cert, and --cacert for mutual TLS authentication. This proves that kubectl is simply a REST API client wrapper.
Preview of Upcoming Security Topics — The next three videos will cover ClusterRole/ClusterRoleBinding (cluster-wide RBAC), ServiceAccounts (in-cluster workload identities), and NetworkPolicies (network-layer isolation), completing the security domain.
See Also
Wiki Concepts
- Kubernetes RBAC — Roles, RoleBindings, imperative commands, and exam patterns
- Kubernetes Authentication & Authorization — impersonation,
auth can-i, and the auth pipeline - Kubernetes Kubeconfig —
set-credentials,set-context,use-contextworkflow - Kubernetes Architecture — API server REST endpoint and direct curl access
- Kubernetes Namespaces — namespace-scoped RBAC boundaries
- TLS Fundamentals — client certificate generation and expiry
Related Sources
- CKA Day 22 — Kubernetes Authentication and Authorization Simply Explained — prerequisite covering authn/authz theory and kubeconfig
- CKA Day 21 — Manage TLS Certificates In a Kubernetes Cluster — CSR creation and certificate signing workflow
Creator / Entity
- Tech Tutorials with Piyush — creator of the 40daysofKubernetes CKA series