CloudsArk
Security and RBAC Kubernetes

Role Vs Clusterrole

Learn practical role vs clusterrole with kubectl commands, manifests, verification steps, common mistakes, and production-focused guidance.

9 min read Updated 2026-05-30
kubernetes role clusterrole kubectl

Role Vs Clusterrole

Introduction

This guide explains role vs clusterrole with practical kubectl commands, realistic output, and production-focused checks. Security and RBAC changes must be small, testable, and namespace-aware.

Why This Matters

Overbroad RBAC, privileged pods, writable root filesystems, and unrestricted network access turn small application bugs into cluster risk. Production clusters need least privilege and clear verification.

Example Configuration

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
  namespace: app
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]

Step-by-Step Configuration

kubectl auth can-i get pods --as system:serviceaccount:app:backend -n app
kubectl get role,rolebinding -n app
kubectl describe serviceaccount backend -n app
kubectl get resourcequota,limitrange -n app
kubectl get events -n app --sort-by=.lastTimestamp

Expected output:

yes
role.rbac.authorization.k8s.io/pod-reader   created

Verification

kubectl auth can-i get pods -n app --as system:serviceaccount:app:backend
kubectl describe rolebinding -n app
kubectl get events -n app --sort-by=.lastTimestamp

Security Best Practices

  • Grant verbs only for the resources an application actually needs.
  • Prefer namespace-scoped Roles before ClusterRoles.
  • Run containers as non-root and drop unnecessary Linux capabilities.
  • Protect Secrets with RBAC and avoid printing them in logs.

Common Mistakes

  • Binding cluster-admin to application service accounts.
  • Debugging Forbidden errors without checking the exact service account identity.
  • Assuming Pod Security, RBAC, and NetworkPolicy solve the same problem.

Troubleshooting

Use kubectl auth can-i with the exact service account, namespace, verb, and resource. Then inspect RoleBindings, admission events, pod security settings, and image pull credentials.

Summary

Kubernetes security works best as layered controls: RBAC for API access, pod security for runtime boundaries, NetworkPolicy for traffic, and careful Secret handling for credentials.

Keep exploring

More Kubernetes

All articles
Security and RBAC

kubectl Auth Can I Examples

9 min read Security and RBAC

Serviceaccount Token Explained

9 min read Security and RBAC

Serviceaccount Explained

9 min read