Skip to content

6.12 Cluster Roles & ClusterRoleBindings (RBAC)

Abstract

ClusterRoles and ClusterRoleBindings extend Kubernetes RBAC to control access to cluster-scoped resources and resources across all namespaces.
They are essential for administrators, platform teams, and infrastructure automation in production clusters.

Why Cluster Roles Exist

In Kubernetes, resources are divided into two types:

Resource Type Example
Namespaced resources Pods, Deployments, Services, Secrets
Cluster-scoped resources Nodes, PersistentVolumes, ClusterRoles

Roles only work within a namespace.

ClusterRoles allow you to control access to cluster-wide resources.

Note

Nodes and persistent volumes are cluster-level resources, so they cannot belong to a namespace.

RBAC Scope Overview

RBAC Object Scope
Role Namespace
RoleBinding Namespace
ClusterRole Cluster-wide
ClusterRoleBinding Cluster-wide

ClusterRole

A ClusterRole defines permissions for cluster-level resources.

Example: Allow viewing nodes.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-node-reader
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch"]

Apply it:

kubectl apply -f cluster-role.yaml

ClusterRoleBinding

ClusterRoleBinding links a user/group/service account to a ClusterRole.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-node-reader-binding
subjects:
- kind: User
  name: cluster-admin-user
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: cluster-node-reader
  apiGroup: rbac.authorization.k8s.io

Apply:

kubectl apply -f cluster-role-binding.yaml

Important Behavior

ClusterRoles are mainly used for:

  • Nodes
  • PersistentVolumes
  • StorageClasses
  • CertificateSigningRequests (CSR)
  • Namespaces

But they can also grant access to namespaced resources across the entire cluster.

Example:

resources: ["pods"]

This allows access to pods in every namespace.

Warning

Granting cluster-wide access to namespace resources can expose the entire cluster.

Viewing Cluster Roles

List cluster roles:

kubectl get clusterroles

List cluster role bindings:

kubectl get clusterrolebindings

Describe cluster role:

kubectl describe clusterrole cluster-node-reader

Built-in Cluster Roles

Kubernetes automatically creates several default cluster roles.

Common ones include:

Role Purpose
cluster-admin Full cluster control
admin Namespace admin
edit Modify resources
view Read-only access

Tip

Always prefer view or edit roles before granting cluster-admin.

Production Use Cases

ClusterRoles are typically used for:

Role Permissions
Cluster administrator Manage nodes, storage, policies
Monitoring systems Read metrics and resources
CI/CD systems Deploy applications
Storage administrators Manage persistent volumes

Production Best Practices

DO

Success

  • Use ClusterRoles only when cluster-wide access is required
  • Prefer Role + RoleBinding for namespace access
  • Use groups instead of individual users
  • Regularly audit ClusterRoleBindings
  • Follow least privilege principle

DON'T

Danger

  • Do NOT give cluster-admin to developers
  • Do NOT use * wildcard verbs
  • Do NOT grant cluster-wide access unnecessarily
  • Do NOT bind service accounts with excessive permissions
  • Do NOT expose admin credentials

Security Risks in Production

Risk Impact
Over-permissive ClusterRole Full cluster compromise
Misused ClusterRoleBinding Privilege escalation
cluster-admin granted widely Loss of cluster control
No RBAC audits Undetected access abuse

Role vs ClusterRole

Feature Role ClusterRole
Scope Namespace Entire cluster
Used for Pods, Services, Deployments Nodes, PVs, CRDs
Access level Limited Global

How Authorization Works

Example configuration:

--authorization-mode=Node,RBAC

Flow:

  1. User authenticates
  2. RBAC checks permissions
  3. Role / ClusterRole evaluated
  4. Access granted or denied

Quick Check Access

Check if a user can access nodes:

kubectl auth can-i get nodes --as user1

Check cluster role permissions:

kubectl auth can-i list pods --all-namespaces

Summary

  • ClusterRoles manage cluster-wide permissions
  • ClusterRoleBindings link users to ClusterRoles
  • Used for nodes, storage, and infrastructure components
  • Can grant access to resources across all namespaces
  • Must be used carefully in production

Quote

In Kubernetes security, ClusterRoles are powerful tools — and dangerous if misused.