Just-in

Kagent Tutorial: Build Cloud-Native AI Agents on Kubernetes

Running Ollama LLM on Kubernetes: A Complete Guide

From Docker to Kubernetes: The Orchestration Journey You Didn’t Know You Needed

What is Kubeflow and how can it be used?

Getting Started with Kubeflow: A Complete Beginner’s Guide

Orchestration

Master Kubernetes RBAC: Best Practices

Kubernetes RBAC: Role-Based Access Control Best Practices

In the complex tapestry of modern cloud-native environments, managing who can do what is paramount. As your Kubernetes clusters grow, so does the need for granular, robust access control. Unrestricted access is a security nightmare, opening the door to accidental misconfigurations, data breaches, and unauthorized resource manipulation. This is where Kubernetes Role-Based Access Control (RBAC) steps in, providing a powerful mechanism to define precise permissions for users and service accounts.

RBAC is not just about security; it’s about operational efficiency and compliance. By implementing RBAC best practices, you can enforce the principle of least privilege, ensuring that every entity—human or machine—has only the necessary permissions to perform its designated tasks, and nothing more. This guide will walk you through the core concepts of Kubernetes RBAC, demonstrate how to implement it effectively, and share essential best practices to secure your clusters against unauthorized access and maintain a healthy, compliant environment.

TL;DR: Kubernetes RBAC Essentials

Kubernetes RBAC is crucial for securing your cluster by defining who can do what. It uses Roles (permissions within a namespace) and ClusterRoles (permissions cluster-wide), which are then bound to Users or Service Accounts via RoleBindings and ClusterRoleBindings. Always follow the principle of least privilege.

Key Commands:

  • Create a Role: 
    kubectl apply -f my-role.yaml
  • Create a RoleBinding: 
    kubectl apply -f my-rolebinding.yaml
  • List Roles: 
    kubectl get roles -n my-namespace
  • List ClusterRoles: 
    kubectl get clusterroles
  • Check API access (useful for debugging): 
    kubectl auth can-i create pods --namespace my-namespace --as=developer-user
  • Revoke permissions: Delete the RoleBinding or ClusterRoleBinding.

Prerequisites

To follow along with this guide, you’ll need:

  • A running Kubernetes cluster (e.g., Minikube, Kind, or a cloud-managed cluster like GKE, EKS, AKS).
  • kubectl configured to connect to your cluster. For installation instructions, refer to the official Kubernetes documentation.
  • Basic understanding of Kubernetes concepts like Pods, Deployments, and Namespaces.
  • Familiarity with YAML syntax.

Step-by-Step Guide to Implementing Kubernetes RBAC

1. Understanding RBAC Core Concepts

Before diving into implementation, it’s essential to grasp the fundamental building blocks of Kubernetes RBAC. RBAC relies on four main types of objects: Role, ClusterRole, RoleBinding, and ClusterRoleBinding. These objects work together to define permissions and assign them to subjects (users or service accounts).

A Role defines a set of permissions for resources within a specific namespace. For example, a Role might allow a user to read Pods and Deployments in the “development” namespace. A ClusterRole, on the other hand, defines permissions that apply cluster-wide or to non-namespaced resources (like Nodes, PersistentVolumes) or to namespaced resources across all namespaces (e.g., “list all Pods in the cluster”).

Once you’ve defined your permissions using a Role or ClusterRole, you need to assign them. A RoleBinding grants the permissions defined in a Role (or a ClusterRole) to a user, group, or service account within a specific namespace. A ClusterRoleBinding grants the permissions defined in a ClusterRole to a user, group, or service account across the entire cluster. Understanding this distinction between namespaced and cluster-wide resources and permissions is crucial for effective RBAC implementation.


# Example: Role in 'default' namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods", "pods/log"]
  verbs: ["get", "watch", "list"]
---
# Example: ClusterRole for reading nodes
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-reader
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "watch", "list"]
Verify Section

To verify the creation of these RBAC objects, you can use kubectl get commands:


kubectl apply -f my-rbac-definitions.yaml # Assuming the above YAML is saved as my-rbac-definitions.yaml
kubectl get role pod-reader -n default

Expected Output:


NAME         CREATED AT
pod-reader   2023-10-27T10:00:00Z


kubectl get clusterrole node-reader

Expected Output:


NAME          CREATED AT
node-reader   2023-10-27T10:00:00Z

2. Creating and Assigning Namespaced Roles

Most applications and users operate within specific namespaces. Therefore, defining namespaced Roles is a common and recommended practice to enforce the principle of least privilege. This step involves creating a Role that grants permissions only within a designated namespace, and then binding that Role to a user or service account using a RoleBinding. This ensures that a developer, for instance, can manage applications in their development namespace without affecting production environments.

Consider a scenario where you have a “dev-team” namespace, and you want to allow developers to deploy and manage applications but not modify cluster-level resources or access other namespaces. By creating a Role specifically for this purpose and binding it within the “dev-team” namespace, you achieve granular control. This approach limits the blast radius of any potential misconfiguration or malicious activity, a fundamental aspect of robust Kubernetes Network Policies and overall cluster security.


# 1. Create a Namespace for the dev team
apiVersion: v1
kind: Namespace
metadata:
  name: dev-team
---
# 2. Define a Role for developers in the 'dev-team' namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: dev-team
  name: dev-team-full-access
rules:
- apiGroups: ["", "apps", "batch", "extensions"] # Core, apps, batch, extensions API groups
  resources: ["pods", "deployments", "replicasets", "jobs", "cronjobs", "services", "ingresses", "configmaps", "secrets", "persistentvolumeclaims"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["autoscaling"]
  resources: ["horizontalpodautoscalers"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
# 3. Create a ServiceAccount for the dev team application
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: dev-team
  name: dev-app-sa
---
# 4. Bind the 'dev-team-full-access' Role to the 'dev-app-sa' ServiceAccount
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: dev-team
  name: dev-app-sa-binding
subjects:
- kind: ServiceAccount
  name: dev-app-sa # Name of the ServiceAccount to bind
  namespace: dev-team
roleRef:
  kind: Role # This must be 'Role' for a RoleBinding
  name: dev-team-full-access # Name of the Role to bind
  apiGroup: rbac.authorization.k8s.io
Verify Section

First, apply the YAML manifest:


kubectl apply -f namespace-dev-rbac.yaml

Expected Output:


namespace/dev-team created
role.rbac.authorization.k8s.io/dev-team-full-access created
serviceaccount/dev-app-sa created
rolebinding.rbac.authorization.k8s.io/dev-app-sa-binding created

Then, verify the created resources:


kubectl get role dev-team-full-access -n dev-team

Expected Output:


NAME                   CREATED AT
dev-team-full-access   2023-10-27T10:15:00Z


kubectl get rolebinding dev-app-sa-binding -n dev-team

Expected Output:


NAME                 ROLE                 AGE
dev-app-sa-binding   Role/dev-team-full-access   1m

3. Creating and Assigning ClusterRoles

While namespaced Roles are great for isolation, some operations naturally require cluster-wide permissions. These include managing nodes, creating PersistentVolumes, or listing all namespaces. For such scenarios, ClusterRoles are indispensable. A ClusterRole defines permissions that apply across all namespaces or to cluster-scoped resources. When you bind a ClusterRole using a ClusterRoleBinding, the assigned subject gains these permissions throughout the entire cluster.

A common use case for ClusterRoles is granting read-only access to monitoring tools like Prometheus or observability agents like those leveraging eBPF Observability with Hubble, which need to scrape metrics from pods across various namespaces. Another example is an administrative user who needs to manage all namespaces or perform cluster-level diagnostics. It’s crucial to be extremely cautious when granting ClusterRoles, as they provide significant power and should only be assigned when absolutely necessary, adhering to the least privilege principle.


# 1. Define a ClusterRole for a read-only dashboard user
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: dashboard-viewer
rules:
- apiGroups: [""]
  resources: ["pods", "deployments", "services", "configmaps", "secrets", "namespaces"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
  resources: ["deployments", "replicasets", "statefulsets", "daemonsets"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["batch"]
  resources: ["jobs", "cronjobs"]
  verbs: ["get", "list", "watch"]
---
# 2. Create a ServiceAccount for the dashboard application
apiVersion: v1
kind: ServiceAccount
metadata:
  name: dashboard-sa
  namespace: default # ServiceAccounts are namespaced, but ClusterRoleBinding makes it cluster-wide
---
# 3. Bind the 'dashboard-viewer' ClusterRole to the 'dashboard-sa' ServiceAccount
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: dashboard-viewer-binding
subjects:
- kind: ServiceAccount
  name: dashboard-sa
  namespace: default
roleRef:
  kind: ClusterRole # This must be 'ClusterRole' for a ClusterRoleBinding
  name: dashboard-viewer # Name of the ClusterRole to bind
  apiGroup: rbac.authorization.k8s.io
Verify Section

First, apply the YAML manifest:


kubectl apply -f cluster-rbac.yaml

Expected Output:


clusterrole.rbac.authorization.k8s.io/dashboard-viewer created
serviceaccount/dashboard-sa created
clusterrolebinding.rbac.authorization.k8s.io/dashboard-viewer-binding created

Then, verify the created resources:


kubectl get clusterrole dashboard-viewer

Expected Output:


NAME               CREATED AT
dashboard-viewer   2023-10-27T10:30:00Z


kubectl get clusterrolebinding dashboard-viewer-binding

Expected Output:


NAME                       ROLE                 AGE
dashboard-viewer-binding   ClusterRole/dashboard-viewer   1m

4. Granting Permissions to Users and Groups

While Service Accounts are used for applications running inside the cluster, human users and external systems also need access. Kubernetes RBAC allows you to bind Roles and ClusterRoles to specific users or groups. The key difference here is how Kubernetes authenticates these users. Unlike Service Accounts, which are managed directly by Kubernetes, human users are typically authenticated externally, for example, through an identity provider integrated with your cluster (e.g., OIDC, SAML, or cloud IAM like AWS IAM, Azure AD, Google Cloud IAM).

When you create a RoleBinding or ClusterRoleBinding for a user, you specify their name (e.g., "developer-alice") in the subjects section. Kubernetes doesn’t manage these user accounts directly; it only checks if the authenticated user’s identity matches the name specified in the binding. Similarly, for groups, you specify the group name (e.g., "dev-team-group"). It’s crucial that your cluster’s authentication mechanism is configured to provide user and group information to the Kubernetes API server for these bindings to be effective. For example, in GKE, you might use Google Groups for RBAC.


# 1. Define a Role for viewing logs in the 'default' namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: log-viewer
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list", "watch"]
---
# 2. Bind the 'log-viewer' Role to a specific user 'bob'
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: bob-log-viewer-binding
  namespace: default
subjects:
- kind: User
  name: bob # Name of the user as authenticated by your cluster's auth provider
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: log-viewer
  apiGroup: rbac.authorization.k8s.io
---
# 3. Define a ClusterRole for a cluster-wide auditor group
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: audit-reader
rules:
- apiGroups: [""]
  resources: ["pods", "deployments", "services", "namespaces", "nodes"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
  resources: ["deployments", "replicasets"]
  verbs: ["get", "list", "watch"]
---
# 4. Bind the 'audit-reader' ClusterRole to a group 'auditors'
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: auditors-read-binding
subjects:
- kind: Group
  name: auditors # Name of the group as authenticated by your cluster's auth provider
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: audit-reader
  apiGroup: rbac.authorization.k8s.io
Verify Section

Apply the YAML manifest:


kubectl apply -f user-group-rbac.yaml

Expected Output:


role.rbac.authorization.k8s.io/log-viewer created
rolebinding.rbac.authorization.k8s.io/bob-log-viewer-binding created
clusterrole.rbac.authorization.k8s.io/audit-reader created
clusterrolebinding.rbac.authorization.k8s.io/auditors-read-binding created

You can verify the bindings:


kubectl get rolebinding bob-log-viewer-binding -n default

Expected Output:


NAME                     ROLE             AGE
bob-log-viewer-binding   Role/log-viewer   1m


kubectl get clusterrolebinding auditors-read-binding

Expected Output:


NAME                    ROLE               AGE
auditors-read-binding   ClusterRole/audit-reader   1m

To test user permissions, you can use the kubectl auth can-i command, but it requires specifying the user:


kubectl auth can-i get pods --namespace default --as=bob

Expected Output:


yes


kubectl auth can-i create deployment --namespace default --as=bob

Expected Output:


no

5. Using Aggregated ClusterRoles (Advanced)

As your cluster grows and more custom resources (CRDs) are introduced, managing ClusterRoles can become cumbersome. Aggregated ClusterRoles offer a powerful way to automatically combine permissions from multiple ClusterRoles into a single, overarching ClusterRole. This is particularly useful for extending built-in roles (like admin, edit, view) with permissions for your custom resources without modifying the original roles.

For example, if you’re using a service mesh like Istio Ambient Mesh or a Gateway API implementation like Kubernetes Gateway API, you might have custom resources like Gateway, VirtualService, or TrafficPolicy. Instead of manually adding these permissions to every admin or edit ClusterRole, you can create an Aggregated ClusterRole that targets these custom resources and automatically gets included in the standard roles. This simplifies management and ensures consistency across your cluster, aligning with principles seen in dynamic resource allocation like Karpenter Cost Optimization.


# 1. Define a Custom Resource Definition (CRD) for demonstration
# (In a real scenario, this would be installed by a Helm chart or operator)
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: myresources.stable.example.com
spec:
  group: stable.example.com
  versions:
    - name: v1
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              type: object
              properties:
                message:
                  type: string
  scope: Namespaced
  names:
    plural: myresources
    singular: myresource
    kind: MyResource
    shortNames: ["mr"]
---
# 2. Create a ClusterRole that aggregates into the 'edit' ClusterRole
# This grants 'edit' permissions for 'myresources' to anyone with the 'edit' role.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: myresource-editor
  labels:
    rbac.authorization.k8s.io/aggregate-to-edit: "true" # This label makes it an aggregated ClusterRole
rules:
- apiGroups: ["stable.example.com"]
  resources: ["myresources"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
# 3. Create a ClusterRole that aggregates into the 'view' ClusterRole
# This grants 'view' permissions for 'myresources' to anyone with the 'view' role.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: myresource-viewer
  labels:
    rbac.authorization.k8s.io/aggregate-to-view: "true" # This label makes it an aggregated ClusterRole
rules:
- apiGroups: ["stable.example.com"]
  resources: ["myresources"]
  verbs: ["get", "list", "watch"]
Verify Section

Apply the YAML manifest:


kubectl apply -f aggregated-rbac.yaml

Expected Output:


customresourcedefinition.apiextensions.k8s.io/myresources.stable.example.com created
clusterrole.rbac.authorization.k8s.io/myresource-editor created
clusterrole.rbac.authorization.k8s.io/myresource-viewer created

Now, let’s verify that the permissions are aggregated. We can use kubectl auth can-i with a user who has the built-in edit role. Minikube often provides a minikube-user with admin access, or you can create a test user and bind the edit ClusterRole to them.

Assuming you have a user bound to the edit ClusterRole (e.g., developer-user) in the default namespace:


# Create a dummy user and bind the 'edit' ClusterRole for testing
kubectl create serviceaccount test-editor -n default
kubectl create rolebinding test-editor-bind --clusterrole=edit --serviceaccount=default:test-editor -n default

# Now test permissions with the service account
kubectl auth can-i create myresources.stable.example.com --namespace default --as=system:serviceaccount:default:test-editor

Expected Output:


yes

This “yes” confirms that the myresource-editor ClusterRole’s permissions have been aggregated into the edit ClusterRole, and thus the test-editor service account (which has the edit role) can now create myresources.

Production Considerations

  • Principle of Least Privilege (PoLP): This is the golden rule. Grant only the bare minimum permissions required for a user or service account to perform its function. Start with no permissions and add them incrementally as needed.
  • Use Namespaces for Isolation: Leverage Kubernetes Namespaces to create logical boundaries between different teams, environments (dev, staging, prod), or applications. This naturally limits the scope of namespaced RBAC roles.
  • Automate RBAC Management: Manually managing RBAC YAML files can be error-prone and time-consuming. Use tools like Helm charts, Kustomize, or GitOps pipelines to define, deploy, and manage your RBAC configurations. Consider integrating with identity providers (IdPs) for user management.
  • Audit and Monitor: Regularly audit your RBAC configurations to ensure they align with your security policies. Use Kubernetes audit logs to track who performed what actions and when. Tools like Kyverno or Open Policy Agent (OPA) can enforce policies like “no direct access to production secrets” or “all deployments must specify a ServiceAccount.” For more on security, see Securing Container Supply Chains with Sigstore and Kyverno.
  • Service Account Management:
    • Avoid using the default ServiceAccount for critical applications. Create dedicated ServiceAccounts for each application or microservice.
    • Do not automatically mount ServiceAccount tokens into Pods unless necessary. Set automountServiceAccountToken: false in your Pod specification or ServiceAccount definition if the Pod does not need to interact with the Kubernetes API.
  • Avoid Wildcards: Be extremely cautious with * in apiGroups, resources, or verbs. A wildcard grants broad permissions and should be used only by cluster administrators with full understanding of the implications.
  • Review Built-in Roles: Understand the permissions granted by Kubernetes’ built-in ClusterRoles (admin, edit, view). While convenient, they might grant more permissions than strictly necessary for certain use cases.
  • External Authentication: Integrate Kubernetes with your organization’s existing identity provider (e.g., Okta, Azure AD, AWS IAM) for human user authentication. This centralizes user management and leverages existing security policies.
  • Regular Reviews: Conduct periodic reviews of your RBAC policies, especially when team structures change or applications are decommissioned. Remove stale permissions promptly.
  • Use kubectl auth can-i: This command is your best friend for debugging and verifying RBAC permissions. Use it regularly to simulate user/SA access.

Troubleshooting

1. User/ServiceAccount Cannot Perform an Action

Problem: A user or application (via ServiceAccount) is getting “Forbidden” errors when trying to perform an action, e.g., Error from server (Forbidden): pods is forbidden: User "developer" cannot list resource "pods" in API group "" in the namespace "dev-team".

Solution: Use kubectl auth can-i to diagnose the exact missing permission. Check the relevant Role or ClusterRole and its binding.


# For a user
kubectl auth can-i list pods --namespace dev-team --as=developer
# For a ServiceAccount
kubectl auth can-i create deployment --namespace dev-team --as=system:serviceaccount:dev-team:dev-app-sa

If the output is “no”, inspect the Role/ClusterRole and RoleBinding/ClusterRoleBinding for the user/SA. Ensure the apiGroups, resources, and verbs are correctly specified and that the binding is in the correct namespace (for Roles) or cluster-wide (for ClusterRoles).

2. ServiceAccount Token Not Mounted

Problem: A Pod needs to interact with the Kubernetes API, but its ServiceAccount token is not being mounted, leading to authentication errors within the Pod.

Solution: Ensure that automountServiceAccountToken: true is explicitly set in the Pod’s spec or the ServiceAccount definition if it was previously disabled. By default, it’s usually true, but it’s a common security hardening step to disable it.


apiVersion: v1
kind: Pod
metadata:
  name: my-api-client
  namespace: default
spec:
  serviceAccountName: my-api-sa
  automountServiceAccountToken: true # Ensure this is true if needed
  containers:
  - name: client
    image: busybox
    command: ["sh", "-c", "sleep 3600"]

3. ClusterRoleBinding Not Working for Namespaced Resources

Problem: A ClusterRoleBinding is applied, but the permissions for namespaced resources (e.g., Pods) are not taking effect in a specific namespace.

Solution: ClusterRoleBindings apply permissions globally. If you’re expecting a ClusterRoleBinding to grant permissions to a specific namespace, it will, but it grants it to all namespaces. If you want permissions limited to a single namespace, you should be using a Role and RoleBinding. Verify the resources and apiGroups in your ClusterRole to ensure they cover the intended namespaced resources.

4. Conflicting RBAC Policies

Problem: A user has multiple RoleBindings or ClusterRoleBindings, and it’s unclear which permissions apply or why certain actions are allowed/denied.

Solution: Kubernetes RBAC is additive. If any binding grants a permission, the subject has that permission. If you’re seeing unexpected access, it means some Role or ClusterRole, bound to the user/group/SA, is granting it. Use kubectl describe rolebinding and kubectl describe clusterrolebinding to list all bindings for a subject and then inspect the associated Roles/ClusterRoles. Use kubectl auth can-i --list --as=... to see all permissions a subject has.

5. External User Authentication Issues

Problem: A human user cannot authenticate or is not recognized by Kubernetes RBAC, even though a RoleBinding/ClusterRoleBinding exists for their name.

Solution: Kubernetes itself doesn’t manage user accounts directly. It relies on external authentication.

  • Verify Authentication: Ensure your cluster’s authentication mechanism (e.g., OIDC, cloud IAM) is correctly configured and the user is authenticated successfully. Check your cluster’s API server logs for authentication failures.
  • User/Group Name Mismatch: The name in the subjects section of your RoleBinding/ClusterRoleBinding must exactly match the name provided by your authentication system. This is case-sensitive.
  • Kubeconfig Context: Ensure the user’s kubeconfig is correctly configured with the necessary authentication details (e.g., client certificates, OIDC tokens).

6. Accidental Administrator Access

Problem: A non-admin user or ServiceAccount seems to have full administrative access to the cluster.

Solution: This is often caused by an inadvertent binding to the built-in cluster-admin ClusterRole.

  • List all ClusterRoleBindings: 
    kubectl get clusterrolebindings
  • Look for any ClusterRoleBinding that grants cluster-admin to an unexpected user, group, or ServiceAccount. The cluster-admin ClusterRole grants full access to every resource in the cluster.
  • Delete any erroneous ClusterRoleBindings to cluster-admin.

For example, if you see clusterrolebinding/my-dev-sa-admin bound to cluster-admin, delete it:


kubectl delete clusterrolebinding my-dev-sa-admin

FAQ Section

Q1: What is the difference between a Role and a ClusterRole?
A1: A Role defines permissions within a specific Kubernetes namespace. A ClusterRole defines permissions across the entire cluster, or for cluster-scoped resources (like Nodes, PersistentVolumes), or for namespaced resources across all namespaces.

Q2: What is the difference between a RoleBinding and a ClusterRoleBinding?
A2: A RoleBinding grants the permissions defined in a Role (or a ClusterRole) to a subject (user, group, or service account) within a specific namespace. A ClusterRoleBinding grants the permissions defined in a ClusterRole to a subject across the entire cluster.

Q3: How do I grant permissions to a new user in Kubernetes?
A3: First, ensure your Kubernetes cluster is configured to authenticate the user (e.g., via OIDC, cloud IAM, or client certificates). Then, create a Role (

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *