Namespaces and RBAC

Introduction

I learned about Kubernetes namespaces the hard way when a junior developer accidentally deleted a production deployment—because we were running everything in the default namespace with cluster-admin privileges. That incident forced me to completely redesign our cluster security model, implementing proper namespace isolation and role-based access control (RBAC).

Since then, I've architected multi-tenant Kubernetes platforms for organizations with hundreds of teams, each requiring isolated environments with specific access controls. I've debugged mysterious permission issues at 2 AM and designed sophisticated RBAC policies for compliance requirements. Through these experiences, I've developed a deep understanding of how to properly secure and organize Kubernetes clusters.

In this comprehensive guide, I'll share everything I've learned about namespaces, RBAC, service accounts, and multi-tenancy patterns in Kubernetes.

Table of Contents

1. Understanding Namespaces

2. Namespace Basics

3. Introduction to RBAC

4. Roles and ClusterRoles

5. RoleBindings and ClusterRoleBindings

6. Service Accounts

7. Multi-Tenancy Patterns

8. Resource Quotas and Limit Ranges

9. Network Policies for Isolation

10. Security Best Practices

11. Troubleshooting Access Issues

12. Advanced RBAC Patterns

13. What I Learned

Understanding Namespaces

Namespaces provide a mechanism for isolating groups of resources within a single cluster. They're the foundation for multi-tenancy, allowing multiple teams or projects to share a cluster while maintaining separation. Think of namespaces as virtual clusters within a physical cluster.

Why Namespaces Matter

Without namespaces, every resource name must be unique across the entire cluster. As clusters grow, this becomes unmanageable. Namespaces solve this by providing scope for names, allowing different teams to use the same resource names in their respective namespaces.

Default Namespaces

Kubernetes clusters start with several default namespaces:

• default: For resources without a specified namespace

• kube-system: For Kubernetes system components

• kube-public: Readable by all users, used for public resources

• kube-node-lease: For node heartbeat objects (improved node controller performance)

Namespace Basics

Creating Namespaces

Using kubectl:

Namespace YAML with annotations:

Working with Namespaces

Deploying Resources to Namespaces

Deploying to namespaces:

Introduction to RBAC

Role-Based Access Control (RBAC) regulates access to Kubernetes resources based on roles assigned to users, groups, or service accounts.

RBAC Architecture

RBAC Components

1. Role/ClusterRole: Defines permissions (what actions on what resources)

2. RoleBinding/ClusterRoleBinding: Grants permissions to subjects

3. Subjects: Users, groups, or service accounts

Checking RBAC Permissions

Roles and ClusterRoles

Role (Namespace-scoped)

A Role grants permissions within a single namespace:

Common verbs:

• get: Read individual resource

• list: List multiple resources

• watch: Watch for changes

• create: Create new resources

• update: Update existing resources

• patch: Partially update resources

• delete: Delete resources

• deletecollection: Delete multiple resources

Developer role example:

ClusterRole (Cluster-wide)

ClusterRoles can grant permissions to:

• Cluster-scoped resources (nodes, persistent volumes)

• Non-resource endpoints (/healthz, /metrics)

• Resources across all namespaces

View built-in ClusterRoles:

Aggregated ClusterRoles

ClusterRoles can aggregate permissions from other roles:

RoleBindings and ClusterRoleBindings

RoleBinding

Grants a Role's permissions to subjects within a namespace:

Creating RoleBinding with kubectl:

ClusterRoleBinding

Grants a ClusterRole's permissions across all namespaces:

Important: ClusterRoleBindings grant permissions cluster-wide. Use carefully!

Service Accounts

Service accounts provide identities for pods to interact with the Kubernetes API.

Creating Service Accounts

Using Service Accounts in Pods

Accessing Kubernetes API from pod:

Disable Automounting Token

For pods that don't need API access:

Multi-Tenancy Patterns

Namespace-per-Team

Namespace-per-Environment

Cross-Namespace Access

Resource Quotas and Limit Ranges

Resource Quotas

Limit aggregate resource consumption per namespace:

Checking quota usage:

Limit Ranges

Set default and maximum resource limits for pods:

Effect on pods without resource specifications:

Network Policies for Isolation

Network Policies provide network-level isolation between namespaces:

Cross-namespace network policy:

Security Best Practices

1. Principle of Least Privilege

2. Use Service Accounts for Pods

3. Namespace Isolation

4. Audit RBAC Regularly

5. Use ResourceNames for Fine-Grained Control

Troubleshooting Access Issues

Permission Denied Errors

Service Account Issues

Debugging RBAC with impersonation

Advanced RBAC Patterns

Dynamic Admission Control

Use ValidatingWebhookConfiguration for additional security:

Attribute-Based Access Control (ABAC) Alternative

While RBAC is standard, ABAC offers more flexibility:

Hierarchical Namespaces

Using Hierarchical Namespace Controller (HNC):

What I Learned

After years of implementing and managing RBAC in Kubernetes, these are my key lessons:

1. Start Restrictive: Begin with minimal permissions and add more as needed. It's easier to grant additional permissions than to revoke excessive ones after they're in use.

2. Document Everything: RBAC configurations can become complex. Document why specific permissions exist and who requested them. Future you will be grateful.

3. Use Groups: Manage permissions for groups rather than individual users. This scales better as teams grow and change.

4. Regular Audits: Schedule quarterly RBAC audits. People change roles, applications get deprecated, and permissions accumulate. Clean up regularly.

5. Namespace Strategy Matters: Choose your namespace strategy early (per-team, per-environment, per-application) and stick with it. Changing later is painful.

6. Test Permission Changes: Always test RBAC changes in non-production first. A misconfigured RBAC rule can break production deployments.

7. Beware cluster-admin: That role is powerful and tempting but should be rarely used. Create specific ClusterRoles instead.

8. Service Accounts Are Not Optional: Every pod should have a dedicated service account with minimum required permissions. The default service account is a security risk.

9. Network Policies Complete the Picture: RBAC controls API access, but network policies control network traffic. You need both for proper multi-tenancy.

10. Automation Is Key: Use GitOps and automated tools to manage RBAC. Manual kubectl commands lead to configuration drift and security gaps.

Security in Kubernetes is not just about preventing unauthorized access—it's about enabling teams to work safely and efficiently. Well-designed RBAC and namespace strategies provide both security and productivity.

The investment in properly designing your cluster's security model pays dividends every day through reduced incidents, faster debugging, and the confidence that your applications and data are properly protected.