Kubernetes RBAC
Start course

This course introduces you to container security, Azure Container Registry authentication, Kubernetes clusters, and Microsoft Defender for Containers.

Learning Objectives

  • A solid understanding of what options are available for securing your containerized applications in Azure and how to protect them from emerging threats

Intended Audience

  • Developers, IT professionals, and security experts who are looking to understand the different ways to secure their containerized applications in Azure


  • Basic understanding of Containerized computing in Azure

Welcome to Kubernetes RBAC.

Kubernetes RBAC is a feature that allows for granular filtering of user actions within an AKS cluster. It allows you to assign specific permissions to users or user groups. For example, you can allow them to create resources, modify resources, or view logs from running application workloads. These permissions can be scoped to a single namespace or applied to the entire cluster.

To set up Kubernetes RBAC, you first define user permissions as a Role. Roles grant permissions within a namespace, while ClusterRoles are used to grant permissions across the entire cluster or to cluster resources outside the namespace. Roles are then assigned to users with RoleBindings or ClusterRoleBindings.

If your AKS cluster is integrated with Azure AD, a RoleBinding grants permissions defined in the role to Azure AD users to perform actions within the cluster. A ClusterRoleBinding grants that access cluster-wide. It's important to note that Kubernetes roles only grant permissions and do not deny them.

Kubernetes also uses service accounts, which are one of the primary user types in Kubernetes. Service accounts are created and managed by the Kubernetes API and are stored as Kubernetes secrets. They can be used by authorized pods to communicate with the API server.

So the key takeaway here is that Kubernetes RBAC allows for granular filtering of user actions within an AKS cluster by assigning specific permissions to users or user groups, scoping those permissions to a single namespace or the entire cluster, and using roles, rolebindings and clusterrolebindings to assign those permissions. Additionally, AKS uses service accounts to authenticate pods and can also be integrated with Azure AD for user authentication.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.

Covered Topics