List of Kubernetes RBAC rule verbs
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
Kubernetes Role-Based Access Control (RBAC) is an essential mechanism that governs how users, applications, or processes interact with the Kubernetes API server. It grants users permissions based on rules that define how they can interact with the resources within the cluster. Understanding RBAC verbs is crucial for efficiently defining access policies. These verbs specify the actions that can be performed on various Kubernetes resources.
Overview of Kubernetes RBAC
Kubernetes RBAC uses roles and role bindings to permit access to resources. Roles include a set of rules composed of verbs, resources, resource names, and namespaces. Role bindings assign these roles to users or groups, thus ensuring that only authorized entities can perform specified actions.
RBAC Rule Verbs
The verbs in RBAC define the operations that the subjects can perform. Here's a breakdown of the primary RBAC verbs:
1. get
The get verb allows users to retrieve information about a specific resource, such as Pods, Services, ConfigMaps, etc. When a user or service account is granted this permission, they can perform kubectl get <resource> to view the details of a resource.
Example:
2. list
The list verb is used when you need to get a list of resources of a particular type. With this access, kubectl get <resource> can be used with or without additional filters.
Example:
3. watch
The watch verb allows monitoring of changes to resources. This is useful for observing the state of resources over time without repeatedly polling.
Example:
4. create
The create verb permits the creation of new resources within the cluster. This enables operations like deploying a new Pod or Service.
Example:
5. update
The update verb allows modifications to existing resources. This is necessary for changing configurations or updating items like Secrets and ConfigMaps.
Example:
6. patch
The patch verb lets users apply partial updates to resources. Unlike update, patch can be used to modify only a subset of fields within a resource.
Example:
7. delete
The delete verb provides the ability to remove resources from the cluster. It's critical to use this permission judiciously as it impacts resource availability.
Example:
8. deletecollection
This is an extension of the delete verb, allowing the deletion of a collection of resources. Typically used to clear resources based on label selectors.
Example:
9. impersonate
The impersonate verb allows a user to assume another user's credentials. This is often used for debugging or operational purposes and should be tightly controlled.
Example:
Summary Table
To summarize the key functionalities of each verb, consider the following table:
| Verb | Description |
get | Retrieve a specific resource's information. |
list | List all resources of a particular type. |
watch | Observe changes of resources over time. |
create | Add new resources to the cluster. |
update | Modify existing resources completely. |
patch | Partially modify existing resources. |
delete | Remove resources. |
deletecollection | Remove a collection of resources. |
impersonate | Act as another user for access control purposes. |
Conclusion
Kubernetes RBAC verbs offer a fine-grained way to define what actions can be performed on resources within a cluster. By structuring RBAC policies using these verbs, organizations can ensure that their Kubernetes environment adheres to security best practices. Remember, the principle of least privilege should guide the assignment of permissions, granting only what is necessary for users and services to function effectively.
