Crisp5 min readGo deeper →

RBAC and namespaces

Namespaces are the scoping primitive. RBAC binds users and ServiceAccounts to verbs on resources via Roles and ClusterRoles.

Two things to know. Namespaces scope resources. RBAC controls who can do what to them.

Namespaces

A namespace is a virtual cluster inside a cluster. Most objects are namespaced (Pods, Services, Deployments, ConfigMaps, Secrets, PVCs). Some are cluster-scoped (Nodes, PVs, StorageClasses, ClusterRoles, CRDs).

Names are unique per namespace. You can have Deployment/api in team-a and Deployment/api in team-b. DNS names include the namespace: api.team-a.svc.cluster.local.

Use namespaces for tenancy boundaries, not for tiny logical groupings. Common patterns: one namespace per team, per environment (within a non-prod cluster), per app stack.

RBAC: four resources

Role: a list of allowed verbs on resources in one namespace.
ClusterRole: same but cluster-wide, or for cluster-scoped resources.
RoleBinding: grants a Role to a subject (User, Group, ServiceAccount) in one namespace.
ClusterRoleBinding: grants a ClusterRole cluster-wide.

A ClusterRole can also be referenced by a RoleBinding to grant cluster-role permissions but only within a single namespace. Useful for reusable role definitions.

Verbs and resources

Verbs: get, list, watch, create, update, patch, delete, deletecollection. Plus subresources like pods/exec, pods/log, pods/portforward.

Example: a read-only viewer Role:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata: { name: viewer, namespace: team-a }
rules:
  - apiGroups: [""]
    resources: [pods, services, configmaps]
    verbs: [get, list, watch]

ServiceAccounts

Every Pod runs as a ServiceAccount (default if unspecified). The SA's token is mounted at /var/run/secrets/kubernetes.io/serviceaccount/token and is used to authenticate to the API server. RBAC binds permissions to that SA.

On EKS, use IRSA (IAM Roles for ServiceAccounts) to bind AWS IAM permissions to a ServiceAccount. The Pod assumes the IAM role via STS. No long-lived AWS keys in the cluster.

The interview answer

Namespaces scope namespaced resources. RBAC has four resources: Role and ClusterRole define permissions, RoleBinding and ClusterRoleBinding grant them to subjects. ServiceAccounts authenticate Pods. On EKS, IRSA bridges to AWS IAM. Least privilege always.

Learn more

Docs
RBAC Authorizationkubernetes.io
Docs
Namespaceskubernetes.io