Roles, RoleBindings, and RBAC

Every Kubernetes workload that touches the API server needs RBAC. Getting it right means more than creating a Role and a RoleBinding: it means knowing that apiGroups: [""] grants nothing for Deployments, that a typo in a ServiceAccount name binds silently and fails at runtime, and that you cannot update a RoleBinding's roleRef without deleting it first. RBAC is enabled by default on every cluster, but "enabled" and "correctly configured" are very different things.

RBAC is how you move from "denied" to "exactly what's needed." The API has four object types: Role, ClusterRole, RoleBinding, and ClusterRoleBinding. This article covers the namespace-scoped half: Role and RoleBinding. ClusterRoles are next. The topics: the three-part rule structure, resourceNames for locking permissions to specific named objects, wiring subjects with all three subject kinds, and the gotchas that burn you in both the exam and production.