0
# RBAC Resources (rbac.authorization.k8s.io)
1
2
The RBAC API group provides role-based access control resources for security and permissions management in Kubernetes clusters. These resources enable fine-grained authorization policies for users, service accounts, and groups.
3
4
## Package Import
5
6
```typescript { .api }
7
import { rbac } from "@pulumi/kubernetes";
8
import * as k8s from "@pulumi/kubernetes";
9
10
// Direct RBAC imports
11
import { Role, RoleBinding, ClusterRole, ClusterRoleBinding } from "@pulumi/kubernetes/rbac/v1";
12
```
13
14
## Role (rbac/v1)
15
16
Role contains rules that represent a set of permissions within a particular namespace.
17
18
```typescript { .api }
19
class Role extends pulumi.CustomResource {
20
constructor(name: string, args?: RoleArgs, opts?: pulumi.CustomResourceOptions)
21
22
public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): Role
23
24
// Output properties
25
public readonly apiVersion!: pulumi.Output<"rbac.authorization.k8s.io/v1">;
26
public readonly kind!: pulumi.Output<"Role">;
27
public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
28
public readonly rules!: pulumi.Output<outputs.rbac.v1.PolicyRule[]>;
29
}
30
31
interface RoleArgs {
32
apiVersion?: pulumi.Input<"rbac.authorization.k8s.io/v1">;
33
kind?: pulumi.Input<"Role">;
34
metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
35
rules?: pulumi.Input<pulumi.Input<inputs.rbac.v1.PolicyRule>[]>;
36
}
37
```
38
39
### PolicyRule Structure
40
41
```typescript { .api }
42
interface PolicyRule {
43
apiGroups?: pulumi.Input<pulumi.Input<string>[]>; // API groups (e.g., "", "apps", "extensions")
44
resources?: pulumi.Input<pulumi.Input<string>[]>; // Resources (e.g., "pods", "services", "deployments")
45
verbs: pulumi.Input<pulumi.Input<string>[]>; // Actions (e.g., "get", "list", "create", "update", "delete")
46
resourceNames?: pulumi.Input<pulumi.Input<string>[]>; // Specific resource names (optional)
47
nonResourceURLs?: pulumi.Input<pulumi.Input<string>[]>; // Non-resource URLs (for ClusterRoles)
48
}
49
```
50
51
### Role Usage Examples
52
53
```typescript { .api }
54
// Pod reader role - read-only access to pods
55
const podReaderRole = new k8s.rbac.v1.Role("pod-reader", {
56
rules: [{
57
apiGroups: [""],
58
resources: ["pods"],
59
verbs: ["get", "list", "watch"],
60
}],
61
});
62
63
// Deployment manager role - full access to deployments
64
const deploymentManagerRole = new k8s.rbac.v1.Role("deployment-manager", {
65
rules: [{
66
apiGroups: ["apps"],
67
resources: ["deployments", "replicasets"],
68
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"],
69
}, {
70
apiGroups: [""],
71
resources: ["pods"],
72
verbs: ["get", "list", "watch"],
73
}],
74
});
75
76
// ConfigMap editor role - manage configuration
77
const configEditorRole = new k8s.rbac.v1.Role("config-editor", {
78
rules: [{
79
apiGroups: [""],
80
resources: ["configmaps", "secrets"],
81
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"],
82
}],
83
});
84
85
// Service account manager role - manage specific service accounts
86
const saManagerRole = new k8s.rbac.v1.Role("sa-manager", {
87
rules: [{
88
apiGroups: [""],
89
resources: ["serviceaccounts"],
90
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"],
91
}, {
92
apiGroups: [""],
93
resources: ["serviceaccounts/token"],
94
verbs: ["create"],
95
}],
96
});
97
98
// Limited resource access role - access specific named resources
99
const limitedAccessRole = new k8s.rbac.v1.Role("limited-access", {
100
rules: [{
101
apiGroups: [""],
102
resources: ["configmaps"],
103
resourceNames: ["app-config", "feature-flags"], // Only these specific ConfigMaps
104
verbs: ["get", "update"],
105
}],
106
});
107
```
108
109
## RoleBinding (rbac/v1)
110
111
RoleBinding grants the permissions defined in a Role to users, groups, or service accounts within a specific namespace.
112
113
```typescript { .api }
114
class RoleBinding extends pulumi.CustomResource {
115
constructor(name: string, args?: RoleBindingArgs, opts?: pulumi.CustomResourceOptions)
116
117
public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): RoleBinding
118
119
// Output properties
120
public readonly apiVersion!: pulumi.Output<"rbac.authorization.k8s.io/v1">;
121
public readonly kind!: pulumi.Output<"RoleBinding">;
122
public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
123
public readonly subjects!: pulumi.Output<outputs.rbac.v1.Subject[]>;
124
public readonly roleRef!: pulumi.Output<outputs.rbac.v1.RoleRef>;
125
}
126
127
interface RoleBindingArgs {
128
apiVersion?: pulumi.Input<"rbac.authorization.k8s.io/v1">;
129
kind?: pulumi.Input<"RoleBinding">;
130
metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
131
subjects?: pulumi.Input<pulumi.Input<inputs.rbac.v1.Subject>[]>;
132
roleRef: pulumi.Input<inputs.rbac.v1.RoleRef>;
133
}
134
```
135
136
### Subject and RoleRef Types
137
138
```typescript { .api }
139
interface Subject {
140
kind: pulumi.Input<"User" | "Group" | "ServiceAccount">;
141
name: pulumi.Input<string>;
142
namespace?: pulumi.Input<string>; // Required for ServiceAccount subjects
143
apiGroup?: pulumi.Input<string>; // Required for User and Group subjects
144
}
145
146
interface RoleRef {
147
apiGroup: pulumi.Input<string>; // Usually "rbac.authorization.k8s.io"
148
kind: pulumi.Input<"Role" | "ClusterRole">;
149
name: pulumi.Input<string>;
150
}
151
```
152
153
### RoleBinding Usage Examples
154
155
```typescript { .api }
156
// Bind service account to pod reader role
157
const podReaderBinding = new k8s.rbac.v1.RoleBinding("pod-reader-binding", {
158
subjects: [{
159
kind: "ServiceAccount",
160
name: "pod-reader-sa",
161
namespace: "default",
162
}],
163
roleRef: {
164
apiGroup: "rbac.authorization.k8s.io",
165
kind: "Role",
166
name: podReaderRole.metadata.name,
167
},
168
});
169
170
// Bind user to deployment manager role
171
const deploymentManagerBinding = new k8s.rbac.v1.RoleBinding("deployment-manager-binding", {
172
subjects: [{
173
kind: "User",
174
name: "alice@example.com",
175
apiGroup: "rbac.authorization.k8s.io",
176
}],
177
roleRef: {
178
apiGroup: "rbac.authorization.k8s.io",
179
kind: "Role",
180
name: deploymentManagerRole.metadata.name,
181
},
182
});
183
184
// Bind multiple subjects to config editor role
185
const configEditorBinding = new k8s.rbac.v1.RoleBinding("config-editor-binding", {
186
subjects: [
187
{
188
kind: "User",
189
name: "developer-1",
190
apiGroup: "rbac.authorization.k8s.io",
191
},
192
{
193
kind: "User",
194
name: "developer-2",
195
apiGroup: "rbac.authorization.k8s.io",
196
},
197
{
198
kind: "ServiceAccount",
199
name: "config-manager-sa",
200
namespace: "default",
201
},
202
],
203
roleRef: {
204
apiGroup: "rbac.authorization.k8s.io",
205
kind: "Role",
206
name: configEditorRole.metadata.name,
207
},
208
});
209
210
// Bind group to role
211
const devTeamBinding = new k8s.rbac.v1.RoleBinding("dev-team-binding", {
212
subjects: [{
213
kind: "Group",
214
name: "dev-team",
215
apiGroup: "rbac.authorization.k8s.io",
216
}],
217
roleRef: {
218
apiGroup: "rbac.authorization.k8s.io",
219
kind: "Role",
220
name: deploymentManagerRole.metadata.name,
221
},
222
});
223
```
224
225
## ClusterRole (rbac/v1)
226
227
ClusterRole contains rules that represent a set of permissions across the entire cluster or for cluster-scoped resources.
228
229
```typescript { .api }
230
class ClusterRole extends pulumi.CustomResource {
231
constructor(name: string, args?: ClusterRoleArgs, opts?: pulumi.CustomResourceOptions)
232
233
public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): ClusterRole
234
235
// Output properties
236
public readonly apiVersion!: pulumi.Output<"rbac.authorization.k8s.io/v1">;
237
public readonly kind!: pulumi.Output<"ClusterRole">;
238
public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
239
public readonly rules!: pulumi.Output<outputs.rbac.v1.PolicyRule[]>;
240
public readonly aggregationRule!: pulumi.Output<outputs.rbac.v1.AggregationRule>;
241
}
242
243
interface ClusterRoleArgs {
244
apiVersion?: pulumi.Input<"rbac.authorization.k8s.io/v1">;
245
kind?: pulumi.Input<"ClusterRole">;
246
metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
247
rules?: pulumi.Input<pulumi.Input<inputs.rbac.v1.PolicyRule>[]>;
248
aggregationRule?: pulumi.Input<inputs.rbac.v1.AggregationRule>;
249
}
250
```
251
252
### ClusterRole Usage Examples
253
254
```typescript { .api }
255
// Cluster reader role - read access to most resources
256
const clusterReaderRole = new k8s.rbac.v1.ClusterRole("cluster-reader", {
257
rules: [
258
{
259
apiGroups: [""],
260
resources: ["pods", "services", "endpoints", "persistentvolumeclaims", "events", "configmaps", "secrets"],
261
verbs: ["get", "list", "watch"],
262
},
263
{
264
apiGroups: ["apps"],
265
resources: ["deployments", "daemonsets", "replicasets", "statefulsets"],
266
verbs: ["get", "list", "watch"],
267
},
268
{
269
apiGroups: ["networking.k8s.io"],
270
resources: ["ingresses", "networkpolicies"],
271
verbs: ["get", "list", "watch"],
272
},
273
],
274
});
275
276
// Node management role - manage nodes and node-related resources
277
const nodeManagerRole = new k8s.rbac.v1.ClusterRole("node-manager", {
278
rules: [
279
{
280
apiGroups: [""],
281
resources: ["nodes", "nodes/status", "nodes/metrics"],
282
verbs: ["get", "list", "watch", "patch", "update"],
283
},
284
{
285
apiGroups: ["metrics.k8s.io"],
286
resources: ["nodes", "pods"],
287
verbs: ["get", "list"],
288
},
289
],
290
});
291
292
// Persistent volume admin role - manage storage
293
const pvAdminRole = new k8s.rbac.v1.ClusterRole("pv-admin", {
294
rules: [
295
{
296
apiGroups: [""],
297
resources: ["persistentvolumes", "persistentvolumeclaims"],
298
verbs: ["*"], // All verbs
299
},
300
{
301
apiGroups: ["storage.k8s.io"],
302
resources: ["storageclasses", "volumeattachments", "csidrivers", "csinodes"],
303
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"],
304
},
305
],
306
});
307
308
// Monitoring role - access metrics and monitoring endpoints
309
const monitoringRole = new k8s.rbac.v1.ClusterRole("monitoring", {
310
rules: [
311
{
312
apiGroups: [""],
313
resources: ["nodes", "nodes/metrics", "services", "endpoints", "pods"],
314
verbs: ["get", "list", "watch"],
315
},
316
{
317
nonResourceURLs: ["/metrics", "/metrics/*"],
318
verbs: ["get"],
319
},
320
{
321
apiGroups: ["metrics.k8s.io"],
322
resources: ["*"],
323
verbs: ["get", "list"],
324
},
325
],
326
});
327
328
// Custom resource manager role
329
const crdManagerRole = new k8s.rbac.v1.ClusterRole("crd-manager", {
330
rules: [
331
{
332
apiGroups: ["apiextensions.k8s.io"],
333
resources: ["customresourcedefinitions"],
334
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"],
335
},
336
{
337
apiGroups: ["example.com"],
338
resources: ["*"],
339
verbs: ["*"],
340
},
341
],
342
});
343
344
// Aggregated role example - combines other roles
345
const aggregatedAdminRole = new k8s.rbac.v1.ClusterRole("aggregated-admin", {
346
aggregationRule: {
347
clusterRoleSelectors: [{
348
matchLabels: {
349
"rbac.example.com/aggregate-to-admin": "true",
350
},
351
}],
352
},
353
});
354
```
355
356
## ClusterRoleBinding (rbac/v1)
357
358
ClusterRoleBinding grants the permissions defined in a ClusterRole to users, groups, or service accounts across the entire cluster.
359
360
```typescript { .api }
361
class ClusterRoleBinding extends pulumi.CustomResource {
362
constructor(name: string, args?: ClusterRoleBindingArgs, opts?: pulumi.CustomResourceOptions)
363
364
public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): ClusterRoleBinding
365
366
// Output properties
367
public readonly apiVersion!: pulumi.Output<"rbac.authorization.k8s.io/v1">;
368
public readonly kind!: pulumi.Output<"ClusterRoleBinding">;
369
public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
370
public readonly subjects!: pulumi.Output<outputs.rbac.v1.Subject[]>;
371
public readonly roleRef!: pulumi.Output<outputs.rbac.v1.RoleRef>;
372
}
373
374
interface ClusterRoleBindingArgs {
375
apiVersion?: pulumi.Input<"rbac.authorization.k8s.io/v1">;
376
kind?: pulumi.Input<"ClusterRoleBinding">;
377
metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
378
subjects?: pulumi.Input<pulumi.Input<inputs.rbac.v1.Subject>[]>;
379
roleRef: pulumi.Input<inputs.rbac.v1.RoleRef>;
380
}
381
```
382
383
### ClusterRoleBinding Usage Examples
384
385
```typescript { .api }
386
// Bind service account to cluster reader role
387
const clusterReaderBinding = new k8s.rbac.v1.ClusterRoleBinding("cluster-reader-binding", {
388
subjects: [{
389
kind: "ServiceAccount",
390
name: "monitoring-sa",
391
namespace: "monitoring",
392
}],
393
roleRef: {
394
apiGroup: "rbac.authorization.k8s.io",
395
kind: "ClusterRole",
396
name: clusterReaderRole.metadata.name,
397
},
398
});
399
400
// Bind admin user to cluster admin role
401
const clusterAdminBinding = new k8s.rbac.v1.ClusterRoleBinding("cluster-admin-binding", {
402
subjects: [{
403
kind: "User",
404
name: "admin@example.com",
405
apiGroup: "rbac.authorization.k8s.io",
406
}],
407
roleRef: {
408
apiGroup: "rbac.authorization.k8s.io",
409
kind: "ClusterRole",
410
name: "cluster-admin", // Built-in cluster role
411
},
412
});
413
414
// Bind SRE team to node manager role
415
const sreNodeManagerBinding = new k8s.rbac.v1.ClusterRoleBinding("sre-node-manager", {
416
subjects: [{
417
kind: "Group",
418
name: "sre-team",
419
apiGroup: "rbac.authorization.k8s.io",
420
}],
421
roleRef: {
422
apiGroup: "rbac.authorization.k8s.io",
423
kind: "ClusterRole",
424
name: nodeManagerRole.metadata.name,
425
},
426
});
427
```
428
429
## Complete RBAC Setup Examples
430
431
### Application Service Account with Minimal Permissions
432
433
```typescript { .api }
434
// Create namespace for application
435
const appNamespace = new k8s.core.v1.Namespace("my-app");
436
437
// Create service account
438
const appServiceAccount = new k8s.core.v1.ServiceAccount("app-sa", {
439
metadata: {
440
namespace: appNamespace.metadata.name,
441
},
442
});
443
444
// Create role with minimal required permissions
445
const appRole = new k8s.rbac.v1.Role("app-role", {
446
metadata: {
447
namespace: appNamespace.metadata.name,
448
},
449
rules: [
450
{
451
apiGroups: [""],
452
resources: ["configmaps"],
453
resourceNames: ["app-config"], // Only specific ConfigMap
454
verbs: ["get"],
455
},
456
{
457
apiGroups: [""],
458
resources: ["secrets"],
459
resourceNames: ["app-secrets"], // Only specific Secret
460
verbs: ["get"],
461
},
462
],
463
});
464
465
// Bind service account to role
466
const appRoleBinding = new k8s.rbac.v1.RoleBinding("app-role-binding", {
467
metadata: {
468
namespace: appNamespace.metadata.name,
469
},
470
subjects: [{
471
kind: "ServiceAccount",
472
name: appServiceAccount.metadata.name,
473
namespace: appNamespace.metadata.name,
474
}],
475
roleRef: {
476
apiGroup: "rbac.authorization.k8s.io",
477
kind: "Role",
478
name: appRole.metadata.name,
479
},
480
});
481
482
// Deployment using the service account
483
const appDeployment = new k8s.apps.v1.Deployment("my-app", {
484
metadata: {
485
namespace: appNamespace.metadata.name,
486
},
487
spec: {
488
replicas: 3,
489
selector: {
490
matchLabels: { app: "my-app" },
491
},
492
template: {
493
metadata: {
494
labels: { app: "my-app" },
495
},
496
spec: {
497
serviceAccountName: appServiceAccount.metadata.name,
498
containers: [{
499
name: "app",
500
image: "myapp:v1.0",
501
ports: [{ containerPort: 8080 }],
502
}],
503
},
504
},
505
},
506
});
507
```
508
509
### DevOps Team RBAC Setup
510
511
```typescript { .api }
512
// DevOps cluster role with broad permissions
513
const devopsClusterRole = new k8s.rbac.v1.ClusterRole("devops-role", {
514
rules: [
515
// Core resources
516
{
517
apiGroups: [""],
518
resources: ["*"],
519
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"],
520
},
521
// Apps resources
522
{
523
apiGroups: ["apps"],
524
resources: ["*"],
525
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"],
526
},
527
// Networking
528
{
529
apiGroups: ["networking.k8s.io"],
530
resources: ["*"],
531
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"],
532
},
533
// Storage
534
{
535
apiGroups: ["storage.k8s.io"],
536
resources: ["*"],
537
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"],
538
},
539
// RBAC (limited)
540
{
541
apiGroups: ["rbac.authorization.k8s.io"],
542
resources: ["roles", "rolebindings"],
543
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"],
544
},
545
// Metrics
546
{
547
apiGroups: ["metrics.k8s.io"],
548
resources: ["*"],
549
verbs: ["get", "list"],
550
},
551
],
552
});
553
554
// DevOps team binding
555
const devopsBinding = new k8s.rbac.v1.ClusterRoleBinding("devops-binding", {
556
subjects: [{
557
kind: "Group",
558
name: "devops-team@example.com",
559
apiGroup: "rbac.authorization.k8s.io",
560
}],
561
roleRef: {
562
apiGroup: "rbac.authorization.k8s.io",
563
kind: "ClusterRole",
564
name: devopsClusterRole.metadata.name,
565
},
566
});
567
568
// Development team namespace-scoped permissions
569
const devRole = new k8s.rbac.v1.Role("dev-role", {
570
metadata: {
571
namespace: "development",
572
},
573
rules: [
574
{
575
apiGroups: ["", "apps", "networking.k8s.io"],
576
resources: ["*"],
577
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"],
578
},
579
// Exclude secrets for security
580
{
581
apiGroups: [""],
582
resources: ["secrets"],
583
verbs: ["get", "list"], // Read-only access to secrets
584
},
585
],
586
});
587
588
const devBinding = new k8s.rbac.v1.RoleBinding("dev-binding", {
589
metadata: {
590
namespace: "development",
591
},
592
subjects: [{
593
kind: "Group",
594
name: "dev-team@example.com",
595
apiGroup: "rbac.authorization.k8s.io",
596
}],
597
roleRef: {
598
apiGroup: "rbac.authorization.k8s.io",
599
kind: "Role",
600
name: devRole.metadata.name,
601
},
602
});
603
```
604
605
### CI/CD Pipeline Service Account
606
607
```typescript { .api }
608
// CI/CD service account
609
const cicdServiceAccount = new k8s.core.v1.ServiceAccount("cicd-sa", {
610
metadata: {
611
namespace: "cicd-system",
612
},
613
});
614
615
// CI/CD cluster role with deployment permissions
616
const cicdClusterRole = new k8s.rbac.v1.ClusterRole("cicd-role", {
617
rules: [
618
// Core resources needed for deployments
619
{
620
apiGroups: [""],
621
resources: ["pods", "services", "configmaps", "secrets"],
622
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"],
623
},
624
// Apps resources for deployments
625
{
626
apiGroups: ["apps"],
627
resources: ["deployments", "daemonsets", "statefulsets", "replicasets"],
628
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"],
629
},
630
// Ingress for traffic routing
631
{
632
apiGroups: ["networking.k8s.io"],
633
resources: ["ingresses"],
634
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"],
635
},
636
// Service accounts for application deployments
637
{
638
apiGroups: [""],
639
resources: ["serviceaccounts"],
640
verbs: ["get", "list", "watch", "create", "update", "patch"],
641
},
642
// RBAC for application service accounts
643
{
644
apiGroups: ["rbac.authorization.k8s.io"],
645
resources: ["roles", "rolebindings"],
646
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"],
647
},
648
],
649
});
650
651
const cicdClusterRoleBinding = new k8s.rbac.v1.ClusterRoleBinding("cicd-binding", {
652
subjects: [{
653
kind: "ServiceAccount",
654
name: cicdServiceAccount.metadata.name,
655
namespace: "cicd-system",
656
}],
657
roleRef: {
658
apiGroup: "rbac.authorization.k8s.io",
659
kind: "ClusterRole",
660
name: cicdClusterRole.metadata.name,
661
},
662
});
663
```
664
665
## Resource Variants
666
667
All RBAC resources include the following variants:
668
669
### List Resources
670
- `RoleList`, `RoleBindingList`, `ClusterRoleList`, `ClusterRoleBindingList`
671
672
### Patch Resources
673
- `RolePatch`, `RoleBindingPatch`, `ClusterRolePatch`, `ClusterRoleBindingPatch`
674
675
```typescript { .api }
676
// Example patch operation
677
const rolePatch = new k8s.rbac.v1.RolePatch("update-role", {
678
metadata: {
679
name: "existing-role",
680
},
681
rules: [{
682
apiGroups: [""],
683
resources: ["pods", "services"], // Add services to existing role
684
verbs: ["get", "list", "watch", "create", "update"],
685
}],
686
});
687
```
688
689
## Best Practices
690
691
### RBAC Security Best Practices
692
693
1. **Principle of Least Privilege**: Grant minimum necessary permissions
694
2. **Use ServiceAccounts**: Create dedicated service accounts for applications
695
3. **Namespace Isolation**: Use Roles and RoleBindings for namespace-scoped permissions
696
4. **Regular Audits**: Regularly review and audit RBAC permissions
697
5. **Avoid Wildcards**: Be specific with resources and verbs instead of using "*"
698
699
### Permission Management
700
701
1. **Separate Concerns**: Create separate roles for different functions
702
2. **Group Management**: Use groups for managing team permissions
703
3. **Resource Names**: Use resourceNames for fine-grained access control
704
4. **Test Permissions**: Test RBAC configurations in development environments
705
5. **Documentation**: Document permission requirements and role purposes
706
707
The RBAC API group provides comprehensive authorization capabilities, enabling secure and fine-grained access control for Kubernetes clusters while supporting both application and administrative use cases.