Cluster Roles | Kubernetes

In RBAC authorization mode we have discussed Role & Rolebinding are namespaced. Meaning they are created within namespace , if not specified they are created under default namespace.

Generally, namespace helps in grouping and isolating the resources — like POD , Deployment , services and Replicaset etc. However, there are few resources we can’t group or namespace them — like Nodes.( We can’t say the Node belong to xyz namespace….it can’t be). Node are cluster wide resources and they can’t be associated to any namespace.

In RBAC article, we have already learnt how to authorize users to namespaced resources ( pod, deployment, service etc..). we used Role & Rolebinding.

How do we authorize users to cluster wide resources?

ClusterScope Resources

We will use ClusterRole and ClusterRolebinding. So, this objects needs to be created to authorize users to ClusterScope resources.

1- Create a ClusterRole.

We can create a ClusterRole to provide Cluster Admin to have access to node to create, view delete a node in a cluster.

2- Link the user to the ClusterRole created above in first step. For this need to create another object- ClusterRoleBinding. Sample code as below.

Additional Notes:-

ClusterRole & ClusterRoleBinding are used for cluster Scoped resources. But this not hard rule, we can also create ClusterRole for namespace resources. If we do this, the user will have access to resources across all namespaces.

Stay hungry; Stay Foolish!!