RBAC: Kubernetes RBAC grants permissions by binding roles (sets of allowed verbs on resources) to subjects (users, groups, service accounts) rather than granting permissions directly to individuals.
2 / 5
What is the difference between a Role and a ClusterRole?
Role vs ClusterRole: a Role grants permissions within one namespace. A ClusterRole can be bound cluster-wide (for PersistentVolumes, nodes) or reused across namespaces via RoleBindings.
3 / 5
What does a RoleBinding do?
RoleBinding: the glue between a role and a subject. subjects: [{kind: User, name: alice}] grants Alice the permissions in the referenced Role within that namespace.
4 / 5
What is a service account in the RBAC context?
Service account: pods use their mounted service account token to authenticate to the API server. Binding a role to the service account grants the pod only the permissions it needs — the principle of least privilege.
5 / 5
What does the principle of least privilege mean for Kubernetes RBAC?
Least privilege: a pod that only reads ConfigMaps should have a Role with get,list on configmaps only. Broad roles (especially cluster-admin) expand the blast radius of a compromised workload.