RBAC Configuration Language
5 exercises — Master the vocabulary of Kubernetes RBAC — roles, bindings, verbs, and least privilege in professional English.
0 / 5 completed
Quick reference: Kubernetes RBAC
- Role — namespace-scoped permissions; use for resources within a single namespace
- ClusterRole — cluster-wide permissions; use for cross-namespace or non-namespaced resources
- RoleBinding — links a Role to a Subject (User, Group, or ServiceAccount) within a namespace
1 / 5
Your team is deploying a monitoring agent that only needs to read pod metrics in the monitoring namespace. Which RBAC resource type is most appropriate and why?
A Role is the correct choice when permissions should be confined to a single namespace — it cannot grant access to other namespaces or cluster-scoped resources.
ClusterRole grants permissions either cluster-wide or can be bound at namespace scope via a RoleBinding — but its default purpose is broader access. For a monitoring agent in one namespace, creating a Role in that namespace and binding it with a RoleBinding scopes the blast radius: if the service account were compromised, an attacker could only interact with resources in the monitoring namespace, not the entire cluster. Always start with the narrowest permission scope.
Key vocabulary:
• Role — namespace-scoped permission set; only grants access within one namespace
• ClusterRole — cluster-scoped permission set; can grant access across all namespaces or to non-namespaced resources
• principle of least privilege — grant only the minimum permissions required for the task
ClusterRole grants permissions either cluster-wide or can be bound at namespace scope via a RoleBinding — but its default purpose is broader access. For a monitoring agent in one namespace, creating a Role in that namespace and binding it with a RoleBinding scopes the blast radius: if the service account were compromised, an attacker could only interact with resources in the monitoring namespace, not the entire cluster. Always start with the narrowest permission scope.
Key vocabulary:
• Role — namespace-scoped permission set; only grants access within one namespace
• ClusterRole — cluster-scoped permission set; can grant access across all namespaces or to non-namespaced resources
• principle of least privilege — grant only the minimum permissions required for the task