k8s/labs/security/role.yaml — Namespace-scoped Role with rules granting API permissions.k8s/labs/security/rolebinding.yaml — RoleBinding linking subjects (users, groups, or ServiceAccounts) to a Role.Request: User "jane" tries to list pods in "default" namespace
Flow: jane → kubectl get pods → API Server → Check RoleBinding → Verify pod-reader Role → Allow/Deny
Result: If jane has pod-reader RoleBinding, request is allowed ✅
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: default name: pod-reader rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "watch", "list"]
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: read-pods namespace: default subjects: - kind: User name: jane apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: secret-reader rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"]
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: read-secrets-global subjects: - kind: Group name: managers apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: secret-reader apiGroup: rbac.authorization.k8s.io