Key Concepts
RoleBinding
A namespace-scoped binding that grants Role or ClusterRole permissions to subjects within a namespace.
Role Reference
The Role or ClusterRole whose permissions are being granted by this binding.
Subjects
The users, groups, or service accounts receiving the permissions.
System Binding
Built-in bindings managed by Kubernetes (prefixed with
system: or kubeadm:).RoleBindings are namespace-scoped resources. They can reference either a Role (same namespace) or a ClusterRole, but permissions are always limited to the RoleBinding’s namespace.
Required Permissions
| Action | Permission |
|---|---|
| View RoleBindings | iam:project:infrastructure:kubernetes:read |
| Create RoleBinding | iam:project:infrastructure:kubernetes:write |
| Edit RoleBinding | iam:project:infrastructure:kubernetes:write |
| Delete RoleBinding | iam:project:infrastructure:kubernetes:delete |
Binding Types
| Type | Description |
|---|---|
| System | Built-in Kubernetes bindings (cannot be deleted) |
| Custom | User-created bindings |
Subject Types
| Type | Description |
|---|---|
| User | A human user authenticated to the cluster |
| Group | A collection of users (e.g., system:authenticated) |
| ServiceAccount | A Kubernetes service account for pods |
How to View RoleBindings
How to View RoleBinding Details
How to Create a RoleBinding
Write YAML
Enter the RoleBinding manifest in YAML format. Key fields:
metadata.namespace- Target namespaceroleRef- Reference to the Role or ClusterRole to bindsubjects- List of users, groups, or service accounts
How to Edit a RoleBinding
How to Delete a RoleBinding
Example RoleBindings
Bind Role to User
Bind ClusterRole to Namespace
Grant Permissions to ServiceAccount
Multiple Subjects
Subject Reference Format
| Field | Description |
|---|---|
| kind | Type of subject: User, Group, or ServiceAccount |
| name | Name of the user, group, or service account |
| namespace | Required for ServiceAccounts, empty for Users/Groups |
| apiGroup | rbac.authorization.k8s.io for Users/Groups, empty for ServiceAccounts |
RoleBinding vs ClusterRoleBinding
| Aspect | RoleBinding | ClusterRoleBinding |
|---|---|---|
| Scope | Single namespace | Cluster-wide |
| Can reference | Role or ClusterRole | ClusterRole only |
| Permissions apply to | Resources in binding’s namespace | All namespaces |
| Use case | Team/app specific access | Cluster-wide access |
Troubleshooting
User cannot access namespace resources
User cannot access namespace resources
- Verify a RoleBinding exists in the correct namespace
- Check the subject name matches exactly (case-sensitive)
- Verify the referenced Role or ClusterRole has the needed permissions
- Use
kubectl auth can-i --as=<user> -n <namespace>to test permissions - Check for typos in user/group names
ServiceAccount permissions not working
ServiceAccount permissions not working
- Verify the namespace is specified in the subject
- Check the ServiceAccount exists in that namespace
- Ensure pods are using the correct ServiceAccount
- Verify the RoleBinding is in the same namespace as the pod
Cannot delete RoleBinding
Cannot delete RoleBinding
- System bindings cannot be deleted
- Verify you have delete permission
- Check for finalizers blocking deletion
Changes not taking effect
Changes not taking effect
- RBAC changes are immediate
- Clear any client-side caching
- Verify the binding was actually updated
- Check if there are conflicting bindings
Cannot change roleRef
Cannot change roleRef
- roleRef is immutable after creation
- Delete the binding and create a new one
- This is by design to prevent privilege escalation
ClusterRole permissions not working in namespace
ClusterRole permissions not working in namespace
- Verify the RoleBinding references the ClusterRole correctly
- Check the RoleBinding is in the target namespace
- Ensure the ClusterRole has the necessary rules
- ClusterRole permissions are limited to the RoleBinding’s namespace
FAQ
What is the difference between RoleBinding and ClusterRoleBinding?
What is the difference between RoleBinding and ClusterRoleBinding?
RoleBinding grants permissions only within a single namespace. It can reference either a Role or ClusterRole.ClusterRoleBinding grants permissions cluster-wide across all namespaces and can only reference ClusterRoles.
Can a RoleBinding reference a ClusterRole?
Can a RoleBinding reference a ClusterRole?
Yes. A RoleBinding can reference a ClusterRole, but permissions are limited to the RoleBinding’s namespace. This is useful for reusing common roles across namespaces without granting cluster-wide access.
Why can't I change the roleRef?
Why can't I change the roleRef?
The
roleRef is immutable to prevent privilege escalation. If you could change it, you could escalate permissions without delete access. To change the role, delete and recreate the binding.How do I grant the same permissions in multiple namespaces?
How do I grant the same permissions in multiple namespaces?
You have two options:
- Create separate RoleBindings in each namespace referencing the same Role (requires Role in each namespace)
- Create a ClusterRole and bind it with RoleBindings in each namespace (recommended)
Can multiple bindings reference the same role?
Can multiple bindings reference the same role?
Yes. You can have multiple RoleBindings referencing the same Role or ClusterRole, each with different subjects. Permissions are additive.
What happens when I delete a user's binding?
What happens when I delete a user's binding?
The user immediately loses the permissions granted by that binding in that namespace. If they have other bindings (in this or other namespaces), those permissions remain. RBAC changes take effect instantly.
Can a ServiceAccount from another namespace be a subject?
Can a ServiceAccount from another namespace be a subject?
Yes. You can grant permissions to a ServiceAccount from any namespace. Specify both the name and namespace in the subject. The ServiceAccount will have permissions in the RoleBinding’s namespace.
What happens if the referenced Role doesn't exist?
What happens if the referenced Role doesn't exist?
The RoleBinding is created but grants no permissions. Subjects will not have access to any resources until the referenced Role is created. Kubernetes does not validate that the roleRef exists.