Skip to content

Role-Based Access Control (RBAC)

RBAC implementation for the RCIIS DevOps platform, providing fine-grained access control across Kubernetes resources.

Overview

RBAC ensures secure access to resources by defining roles, permissions, and user assignments across different environments.

RBAC Components

Roles and ClusterRoles

  • Roles: Namespace-scoped permissions
  • ClusterRoles: Cluster-wide permissions
  • Aggregated ClusterRoles: Combined permission sets

Subjects

  • Users: Individual user accounts
  • Groups: User groups from identity providers
  • ServiceAccounts: Pod-level identities

Bindings

  • RoleBindings: Namespace-scoped role assignments
  • ClusterRoleBindings: Cluster-wide role assignments

Role Definitions

Application Roles

# Developer role for application namespaces
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: nucleus
  name: developer
rules:
- apiGroups: [""]
  resources: ["pods", "services", "configmaps", "secrets"]
  verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: ["apps"]
  resources: ["deployments", "replicasets"]
  verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: ["networking.k8s.io"]
  resources: ["ingresses"]
  verbs: ["get", "list", "watch"]

Administrative Roles

# Cluster administrator role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-admin-rciis
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]
- nonResourceURLs: ["*"]
  verbs: ["*"]

User Management

Identity Provider Integration

  • Keycloak integration for user authentication
  • OIDC-based group membership
  • JWT token validation
  • Automated role assignment

Service Account Management

  • Application-specific service accounts
  • Minimal permission principles
  • Token rotation policies
  • Cross-namespace access controls

Environment-Specific RBAC

Development Environment

  • Broader permissions for development workflows
  • Self-service namespace creation
  • Debug and troubleshooting access
  • Resource quota exemptions

Production Environment

  • Restricted access with approval workflows
  • Read-only access for most users
  • Audit logging for all actions
  • Emergency access procedures

Best Practices

Security Principles

  1. Principle of Least Privilege: Minimum required permissions
  2. Regular Access Reviews: Periodic permission audits
  3. Separation of Duties: Role-based responsibility separation
  4. Defense in Depth: Multiple security layers

Implementation Guidelines

  1. Use Groups: Assign roles to groups, not individuals
  2. Namespace Isolation: Environment-specific permissions
  3. Regular Rotation: Service account token rotation
  4. Monitoring: Access pattern monitoring and alerting

For implementation details, refer to the Kubernetes RBAC documentation.