RBAC Patterns: Practical Access Control for Kubernetes

Calendar February 22, 2026
Kubernetes
Intermediate
Rbac-Configuration, Service-Account-Management, Security-Hardening
Rbac, Security, Service-Accounts, Access-Control
Kubectl

RBAC Patterns#

Kubernetes RBAC controls who can do what to which resources. It is built on four objects: Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings. Getting RBAC right means understanding how these four pieces compose and knowing the common patterns that cover 90% of real-world needs.

The Four RBAC Objects#

Role – Defines permissions within a single namespace. Lists API groups, resources, and allowed verbs.

ClusterRole – Defines permissions cluster-wide or for non-namespaced resources (nodes, persistent volumes, namespaces themselves).

Service Account Security: Tokens, RBAC Binding, and Workload Identity

Calendar February 22, 2026
Kubernetes
Intermediate, Advanced
Service-Account-Hardening, Workload-Identity-Configuration, Token-Management, Rbac-Binding
Service-Accounts, Security, Rbac, Workload-Identity, Tokens, Iam
Kubectl, Gcloud, Aws, Az

Service Account Security#

Every pod in Kubernetes runs as a service account. By default, that is the default service account in the pod’s namespace, with an auto-mounted API token that never expires. This default configuration is overly permissive for most workloads. Hardening service accounts is one of the highest-impact security improvements you can make in a Kubernetes cluster.

The Default Problem#

When a pod starts without specifying a service account, Kubernetes does three things: