Managing Access Control in Kubernetes Using ResourceNames

Kubernetes access control RBAC resourceNames namespace permissions specific resources

2 min read | by Jordi Prats

In Kubernetes, access control is managed using Role-Based Access Control (RBAC), which allows administrators to define roles with specific permissions to access Kubernetes resources. Most of the time we'll grant permissions for any resources of a specific kind and apiGroup as follows:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: simple-rbac
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]

If we want to grant access to just some of the resources, we'll have to add a list of resourceNames. This field allows administrators to grant permissions to specific resources within a namespace, rather than all resources of a particular type.

To do so we just need to provide the list of resource names that we want to grant access to:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: role-access-secret-one-two
rules:
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["secret-one", "secret-two"]
  verbs: ["get"]

This way we can ensure that users have access to only the resources they need and minimizes the risk of unauthorized access, regardless of the namespace they are in.

Posted on 11/04/2023

Managing Access Control in Kubernetes Using ResourceNames

Categories