{"id":19788560,"url":"https://github.com/devopscube/kubenetes-rbac-resources-verbs","last_synced_at":"2026-03-04T19:02:18.186Z","repository":{"id":111375282,"uuid":"143770641","full_name":"devopscube/kubenetes-rbac-resources-verbs","owner":"devopscube","description":"This document has the detailed list of kubernetes RBAC resources and verb declarations","archived":false,"fork":false,"pushed_at":"2018-08-06T19:18:41.000Z","size":4,"stargazers_count":19,"open_issues_count":0,"forks_count":13,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-11T03:51:51.737Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/devopscube.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-08-06T18:59:37.000Z","updated_at":"2024-11-12T00:18:33.000Z","dependencies_parsed_at":null,"dependency_job_id":"a7a0991c-13ec-4125-ab92-d393d8a69c0d","html_url":"https://github.com/devopscube/kubenetes-rbac-resources-verbs","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devopscube%2Fkubenetes-rbac-resources-verbs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devopscube%2Fkubenetes-rbac-resources-verbs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devopscube%2Fkubenetes-rbac-resources-verbs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devopscube%2Fkubenetes-rbac-resources-verbs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/devopscube","download_url":"https://codeload.github.com/devopscube/kubenetes-rbac-resources-verbs/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241125052,"owners_count":19913839,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-12T06:27:52.357Z","updated_at":"2026-03-04T19:02:18.100Z","avatar_url":"https://github.com/devopscube.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# kubenetes rbac roles, resources-verbs\n\n**Default Role**\nGiven to all users in the system, would help in discovery and common read only operations\n\n```yaml\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1alpha1\nmetadata:\n  name: default-reader\nrules:\n  - apiGroups: [\"\"]\n    resources:\n      - componentstatuses\n      - events\n      - endpoints\n      - namespaces\n      - nodes\n      - persistentvolumes\n      - resourcequotas\n      - services\n    verbs: [\"get\", \"watch\", \"list\"]\n  - nonResourceURLs: [\"*\"]\n    verbs: [\"get\", \"watch\", \"list\"]\n```\nAppropriate binding would be:\n```yaml\nkind: ClusterRoleBinding\napiVersion: rbac.authorization.k8s.io/v1alpha1\nmetadata:\n  name: default-reader-role-binding\nsubjects:\n  - kind: User\n    name: \"*\"\nroleRef:\n  kind: ClusterRole\n  name: default-reader\n  apiVersion: rbac.authorization.k8s.io/v1alpha1\n```\n\n**Read all**\nCan be given to pseudo admins (like schedulers), for readonly operations. Not given by default to anyone. Can read everything except secrets\n```yaml\n---\napiVersion: rbac.authorization.k8s.io/v1alpha1\nkind: ClusterRole\nmetadata:\n  name: cluster-read-all\nrules:\n  -\n    apiGroups:\n      - \"\"\n      - apps\n      - autoscaling\n      - batch\n      - extensions\n      - policy\n      - rbac.authorization.k8s.io\n    resources:\n      - componentstatuses\n      - configmaps\n      - daemonsets\n      - deployments\n      - events\n      - endpoints\n      - horizontalpodautoscalers\n      - ingress\n      - jobs\n      - limitranges\n      - namespaces\n      - nodes\n      - pods\n      - persistentvolumes\n      - persistentvolumeclaims\n      - resourcequotas\n      - replicasets\n      - replicationcontrollers\n      - serviceaccounts\n      - services\n    verbs:\n      - get\n      - watch\n      - list\n  - nonResourceURLs: [\"*\"]\n    verbs:\n      - get\n      - watch\n      - list\n\n```\n\n**Cluster Administrator**\n```yaml\n---\napiVersion: rbac.authorization.k8s.io/v1alpha1\nkind: ClusterRole\nmetadata:\n  name: cluster-admin-all\nrules:\n  -\n    apiGroups:\n      - \"\"\n      - apps\n      - autoscaling\n      - batch\n      - extensions\n      - policy\n      - rbac.authorization.k8s.io\n    resources:\n      - componentstatuses\n      - configmaps\n      - daemonsets\n      - deployments\n      - events\n      - endpoints\n      - horizontalpodautoscalers\n      - ingress\n      - jobs\n      - limitranges\n      - namespaces\n      - nodes\n      - pods\n      - persistentvolumes\n      - persistentvolumeclaims\n      - resourcequotas\n      - replicasets\n      - replicationcontrollers\n      - serviceaccounts\n      - services\n    verbs: [\"*\"]\n  - nonResourceURLs: [\"*\"]\n    verbs: [\"*\"]\n```\n\n**Controller Manager**\nController manager needs access to almost all the resources in Kubernetes hence, we need to grant it top level admin access. Controller manager is actually a super user, so it can work even without a rolebinding.\n```yaml\n---\napiVersion: rbac.authorization.k8s.io/v1alpha1\nkind: ClusterRole\nmetadata:\n  name: cluster-controller-manager\nrules:\n  -\n    apiGroups:\n      # have access to everything except Secrets\n      - \"*\"\n    resources: [\"*\"]\n    verbs: [\"*\"]\n  - nonResourceURLs: [\"*\"]\n    verbs: [\"*\"]\n```\n\n**Kubelet**\n\nTo spin up pods and update node and pod status the kubelet would need the following role and binding:\n```yaml\napiVersion: rbac.authorization.k8s.io/v1alpha1\nkind: ClusterRole\nmetadata: \n  name: kubelet-runtime\nrules:\n- apiGroups:\n  - \"\"\n  attributeRestrictions: null\n  resources:\n  - configmaps\n  - persistentvolumes\n  - persistentvolumeclaims\n  - secrets\n  - services\n  - healthz\n  verbs:\n  - get\n  - watch\n  - list\n- attributeRestrictions: null\n  nonResourceURLs:\n  - '*'\n  verbs:\n  - get\n  - watch\n  - list\n- apiGroups:\n  - \"\"\n  attributeRestrictions: null\n  resources:\n  - events\n  - nodes\n  - nodes/status\n  - pods\n  - pods/status\n  verbs:\n  - '*'\n- attributeRestrictions: null\n  nonResourceURLs:\n  - '*'\n  verbs:\n  - '*'\n```\n\nThe appropriate binding would be:\n```yaml\nkind: ClusterRoleBinding\napiVersion: rbac.authorization.k8s.io/v1alpha1\nmetadata:\n  name: kubelet-role-binding\nsubjects:\n  - kind: User\n    name: kubelet\nroleRef:\n  kind: ClusterRole\n  name: kubelet-runtime\n  apiVersion: rbac.authorization.k8s.io/v1alpha1\n```\n\n* For kubelet to check apiserver `healthz`:\n```yaml\napiVersion: rbac.authorization.k8s.io/v1alpha1\nkind: ClusterRole\nmetadata:\n  name: healthz-reader-role\nrules:\n  -\n    apiGroups:\n      - \"\"\n    resources: []\n    verbs: [\"get\"]\n  - nonResourceURLs: [\"*\"]\n    verbs: [\"get\"]\n```\nThe reason we made this explicit healthz binding is to make sure only the healthz is allowed access by everyone. Not only kubelet, but other monitoring systems can usee healthz in the future and hence granting access to all users\n```yaml\nkind: ClusterRoleBinding\napiVersion: rbac.authorization.k8s.io/v1alpha1\nmetadata:\n  name: healthz-role-binding\nsubjects:\n  - kind: User\n    name: \"*\"\nroleRef:\n  kind: ClusterRole\n  name: healthz-reader-role\n  apiVersion: rbac.authorization.k8s.io/v1alpha1\n```\n\n**Scheduler**\nScheduler needs the following roles:\n\n```yaml\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1alpha1\nmetadata:\n  name: scheduler\nrules:\n  - apiGroups: [\"\"]\n    resources: [\"endpoints\"]\n    verbs: [\"*\"]\n  - nonResourceURLs: [\"*\"]\n    verbs: [\"*\"]\n  - apiGroups: [\"\"]\n    resources: [\"pods\"]\n    verbs: [\"update\"]\n    nonResourceURLs: [\"\"]\n    verbs: [\"*\"]\n```\n\nneeds the following role bindings:\n```yaml\nkind: ClusterRoleBinding\napiVersion: rbac.authorization.k8s.io/v1alpha1\nmetadata:\n  name: scheduler-role-binding\nsubjects:\n  - kind: User\n    name: system:scheduler\nroleRef:\n  kind: ClusterRole\n  name: cluster-read-all\n  apiVersion: rbac.authorization.k8s.io/v1alpha1\n```\nand also\n```yaml\nkind: ClusterRoleBinding\napiVersion: rbac.authorization.k8s.io/v1alpha1\nmetadata:\n  name: scheduler-role-binding\nsubjects:\n  - kind: User\n    name: system:scheduler\nroleRef:\n  kind: ClusterRole\n  name: scheduler\n  apiVersion: rbac.authorization.k8s.io/v1alpha1\n```\n\n**Kube Proxy** \nNeeds the following:\n```yaml\n---\napiVersion: rbac.authorization.k8s.io/v1alpha1\nkind: ClusterRole\nmetadata:\n  name: kube-proxy-role\nrules:\n  -\n    apiGroups:\n      - \"\"\n    resources:\n      - endpoints\n      - events\n      - services\n      - nodes\n    verbs: [\"get\", \"watch\", \"list\"]\n  - nonResourceURLs: [\"*\"]\n    verbs: [\"get\", \"watch\", \"list\"]\n  -\n    apiGroups:\n      - \"\"\n    resources:\n      - events\n    verbs: [\"*\"]\n  - nonResourceURLs: [\"*\"]\n    verbs: [\"*\"]\n```\n\n```yaml\n# This cluster role binding allows anyone in the \"manager\" group to read secrets in any namespace.\nkind: ClusterRoleBinding\napiVersion: rbac.authorization.k8s.io/v1alpha1\nmetadata:\n  name: kubeproxy-role-binding\nsubjects:\n  - kind: User\n    name: kube_proxy\nroleRef:\n  kind: ClusterRole\n  name: kube-proxy-role\n  apiVersion: rbac.authorization.k8s.io/v1alpha1\n```\n\n\n**Kube Proxy**\n```yaml\n---\napiVersion: rbac.authorization.k8s.io/v1alpha1\nkind: ClusterRole\nmetadata:\n  name: kube-proxy-role\nrules:\n  -\n    apiGroups:\n      - \"\"\n    resources:\n      - endpoints\n      - events\n      - services\n      - nodes\n    verbs: [\"get\", \"watch\", \"list\"]\n  - nonResourceURLs: [\"*\"]\n    verbs: [\"get\", \"watch\", \"list\"]\n  -\n    apiGroups:\n      - \"\"\n    resources:\n      - events\n    verbs: [\"*\"]\n  - nonResourceURLs: [\"*\"]\n    verbs: [\"*\"]\n\n```\nAnd the corresponding binding\n\n```yaml\nkind: RoleBinding\napiVersion: rbac.authorization.k8s.io/v1alpha1\nmetadata:\n  name: kube-system-sa-admin\n  namespace: kube-system\nsubjects:\n  - kind: ServiceAccount\n    name: default\n    namespace: kube-system\nroleRef:\n  kind: Role\n  namespace: kube-system\n  name: kube-system-admin\n  apiVersion: rbac.authorization.k8s.io/v1alpha1\n```\n\n**Kube System Components:**\nLong term plan should be to move components out of kube-system into appropriate namespaces. DNS, Monitoring etc.\n\nThe following is a `Role` and grants access only within the kube-system namespace\n```yaml\nkind: Role\napiVersion: rbac.authorization.k8s.io/v1alpha1\nmetadata:\n  namespace: kube-system\n  name: kube-system-admin\nrules:\n  - apiGroups: [\"*\"]\n    resources: [\"*\"]\n    verbs: [\"*\"]\n```\n\nAppropriate binding:\n```yaml\nkind: RoleBinding\napiVersion: rbac.authorization.k8s.io/v1alpha1\nmetadata:\n  name: kube-system-sa-admin\n  namespace: kube-system\nsubjects:\n  - kind: ServiceAccount\n    name: default\n    namespace: kube-system\nroleRef:\n  kind: Role\n  namespace: kube-system\n  name: kube-system-admin\n  apiVersion: rbac.authorization.k8s.io/v1alpha1\n```\n  \nRead all for dns and monitoring to work\n```yaml\nkind: ClusterRoleBinding\napiVersion: rbac.authorization.k8s.io/v1alpha1\nmetadata:\n  name: kube-system-readall-role-binding\nsubjects:\n  - kind: ServiceAccount\n    name: default\n    namespace: kube-system\nroleRef:\n  kind: ClusterRole\n  name: cluster-read-all\n  apiVersion: rbac.authorization.k8s.io/v1alpha1\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevopscube%2Fkubenetes-rbac-resources-verbs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdevopscube%2Fkubenetes-rbac-resources-verbs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevopscube%2Fkubenetes-rbac-resources-verbs/lists"}