RBAC bien utilise implemente le principe de moindre privilege. Mal utilise, il est soit trop permissif (dangereux) soit trop restrictif (bloquant).
Les 4 objets RBAC
| Objet | Scope | Usage |
|---|---|---|
| Role | Namespace | Permissions dans un namespace |
| ClusterRole | Cluster entier | Permissions globales |
| RoleBinding | Namespace | Attache Role a un subject |
| ClusterRoleBinding | Cluster | Attache ClusterRole globalement |
Pattern recommande
# Definition du role (reutilisable)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: app-developer
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update"]
---
# Attribution dans un namespace specifique
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: alice-developer
namespace: team-backend
subjects:
- kind: User
name: alice@example.com
roleRef:
kind: ClusterRole
name: app-developerAuditer les permissions
kubectl auth can-i --list --as=alice@example.com -n team-backend
kubectl auth can-i delete pods --as=alice@example.com -n productionNotre formation Kubernetes inclut un module RBAC complet.