Learn to implement Kubernetes Role-Based Access Control (RBAC) with service accounts, cluster roles, and role bindings for granular permissions and secure cluster access management.
Prerequisites
- Running Kubernetes cluster with kubectl access
- Cluster admin permissions for RBAC configuration
- Basic understanding of Kubernetes concepts
What this solves
Kubernetes RBAC provides fine-grained access control for your cluster resources by defining who can perform specific actions on which resources. This tutorial shows you how to create service accounts with appropriate permissions using cluster roles and role bindings, ensuring secure access control while maintaining operational flexibility.
Understanding RBAC components
Kubernetes RBAC consists of four main components that work together to control access. Service accounts represent identities for pods and external systems. Roles and ClusterRoles define permissions for specific actions. RoleBindings and ClusterRoleBindings associate subjects (users, groups, or service accounts) with roles.
Note: ClusterRoles apply cluster-wide while Roles are namespace-specific. ClusterRoleBindings grant cluster-wide permissions while RoleBindings grant namespace-specific permissions.
Step-by-step configuration
Verify RBAC is enabled
Check that RBAC is enabled in your Kubernetes cluster by examining the API server configuration.
kubectl auth can-i list pods --as=system:anonymous
kubectl cluster-info dump | grep -i authorization-modeCreate a dedicated namespace
Create a namespace for testing RBAC configurations to isolate your setup.
kubectl create namespace rbac-demoCreate service accounts
Create service accounts with specific metadata and labels for better organization.
apiVersion: v1
kind: ServiceAccount
metadata:
name: pod-reader
namespace: rbac-demo
labels:
app: rbac-demo
role: reader
annotations:
description: "Service account for reading pod information"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: deployment-manager
namespace: rbac-demo
labels:
app: rbac-demo
role: manager
annotations:
description: "Service account for managing deployments"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cluster-admin-sa
namespace: rbac-demo
labels:
app: rbac-demo
role: admin
annotations:
description: "Service account with cluster-wide admin privileges"kubectl apply -f serviceaccounts.yamlCreate cluster roles with specific permissions
Define cluster roles with granular permissions for different access levels.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-reader-role
labels:
app: rbac-demo
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: deployment-manager-role
labels:
app: rbac-demo
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: namespace-admin-role
labels:
app: rbac-demo
rules:
- apiGroups: [""]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["apps"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["extensions"]
resources: ["*"]
verbs: ["*"]kubectl apply -f clusterroles.yamlCreate namespace-specific roles
Create roles that are scoped to specific namespaces for more granular control.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: rbac-demo
name: secret-manager
labels:
app: rbac-demo
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: rbac-demo
name: service-manager
labels:
app: rbac-demo
rules:
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["get", "list", "watch"]kubectl apply -f roles.yamlCreate cluster role bindings
Bind service accounts to cluster roles to grant cluster-wide permissions.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: pod-reader-binding
labels:
app: rbac-demo
subjects:
- kind: ServiceAccount
name: pod-reader
namespace: rbac-demo
roleRef:
kind: ClusterRole
name: pod-reader-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: deployment-manager-binding
labels:
app: rbac-demo
subjects:
- kind: ServiceAccount
name: deployment-manager
namespace: rbac-demo
roleRef:
kind: ClusterRole
name: deployment-manager-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admin-binding
labels:
app: rbac-demo
subjects:
- kind: ServiceAccount
name: cluster-admin-sa
namespace: rbac-demo
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.iokubectl apply -f clusterrolebindings.yamlCreate namespace-specific role bindings
Bind service accounts to namespace roles for scoped permissions.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: secret-manager-binding
namespace: rbac-demo
labels:
app: rbac-demo
subjects:
- kind: ServiceAccount
name: deployment-manager
namespace: rbac-demo
roleRef:
kind: Role
name: secret-manager
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: service-manager-binding
namespace: rbac-demo
labels:
app: rbac-demo
subjects:
- kind: ServiceAccount
name: deployment-manager
namespace: rbac-demo
roleRef:
kind: Role
name: service-manager
apiGroup: rbac.authorization.k8s.iokubectl apply -f rolebindings.yamlConfigure service account tokens
Create long-lived tokens for service accounts that need persistent access.
apiVersion: v1
kind: Secret
metadata:
name: pod-reader-token
namespace: rbac-demo
annotations:
kubernetes.io/service-account.name: pod-reader
type: kubernetes.io/service-account-token
---
apiVersion: v1
kind: Secret
metadata:
name: deployment-manager-token
namespace: rbac-demo
annotations:
kubernetes.io/service-account.name: deployment-manager
type: kubernetes.io/service-account-tokenkubectl apply -f serviceaccount-tokens.yamlCreate test pods with service accounts
Deploy pods that use the configured service accounts to test RBAC permissions.
apiVersion: v1
kind: Pod
metadata:
name: pod-reader-test
namespace: rbac-demo
labels:
app: rbac-demo
test: pod-reader
spec:
serviceAccountName: pod-reader
containers:
- name: kubectl
image: bitnami/kubectl:latest
command: ['sleep', '3600']
restartPolicy: Never
---
apiVersion: v1
kind: Pod
metadata:
name: deployment-manager-test
namespace: rbac-demo
labels:
app: rbac-demo
test: deployment-manager
spec:
serviceAccountName: deployment-manager
containers:
- name: kubectl
image: bitnami/kubectl:latest
command: ['sleep', '3600']
restartPolicy: Neverkubectl apply -f test-pods.yamlImplementing advanced RBAC policies
Create resource-specific permissions
Configure roles with permissions for specific resources and resource names.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: rbac-demo
name: specific-resource-manager
labels:
app: rbac-demo
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["app-secret", "db-secret"]
verbs: ["get", "update"]
- apiGroups: ["apps"]
resources: ["deployments"]
resourceNames: ["app-deployment"]
verbs: ["get", "update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list"]
resourceNames: ["app-config"]kubectl apply -f resource-specific-role.yamlImplement attribute-based access control
Create roles that use label selectors and field selectors for fine-grained access.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: label-based-access
labels:
app: rbac-demo
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch"]
resourceNames: []
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "list"]
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list"]kubectl apply -f attribute-based-role.yamlConfigure admission control integration
Create roles that work with admission controllers for policy enforcement. This example works well with OPA Gatekeeper configurations.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: admission-controller-reviewer
labels:
app: rbac-demo
rules:
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingadmissionwebhooks", "mutatingadmissionwebhooks"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]kubectl apply -f admission-control-role.yamlVerify your RBAC setup
Test service account permissions
Verify that each service account has the expected permissions and restrictions.
# Test pod reader permissions
kubectl auth can-i list pods --as=system:serviceaccount:rbac-demo:pod-reader
kubectl auth can-i create deployments --as=system:serviceaccount:rbac-demo:pod-reader
Test deployment manager permissions
kubectl auth can-i create deployments --as=system:serviceaccount:rbac-demo:deployment-manager
kubectl auth can-i delete secrets --as=system:serviceaccount:rbac-demo:deployment-manager -n rbac-demo
Test cluster admin permissions
kubectl auth can-i "" "" --as=system:serviceaccount:rbac-demo:cluster-admin-saVerify permissions from within pods
Test actual API access from the pods using the service accounts.
# Test from pod-reader pod
kubectl exec -n rbac-demo pod-reader-test -- kubectl get pods --all-namespaces
kubectl exec -n rbac-demo pod-reader-test -- kubectl get deployments
Test from deployment-manager pod
kubectl exec -n rbac-demo deployment-manager-test -- kubectl get deployments
kubectl exec -n rbac-demo deployment-manager-test -- kubectl create deployment test-deploy --image=nginxAudit RBAC configuration
Review the complete RBAC setup and identify potential security gaps.
# List all service accounts
kubectl get serviceaccounts -n rbac-demo -o wide
List all role bindings
kubectl get rolebindings,clusterrolebindings -n rbac-demo -o wide
Check role definitions
kubectl describe clusterrole pod-reader-role
kubectl describe role secret-manager -n rbac-demo
Verify token secrets
kubectl get secrets -n rbac-demo | grep tokenSecurity best practices
Security Warning: Never use the cluster-admin role for regular applications. Always follow the principle of least privilege when assigning permissions.
Implement these security practices for production RBAC deployments. Use specific resource names when possible instead of wildcard permissions. Regularly audit and rotate service account tokens. Enable audit logging to track RBAC decisions and access patterns.
Create separate service accounts for each application or service component. Group permissions logically and use descriptive names for roles and bindings. Document the purpose and scope of each service account for your team.
For comprehensive cluster security, combine RBAC with network policies and pod security standards to create defense-in-depth protection.
Common issues
| Symptom | Cause | Fix |
|---|---|---|
| Service account can't access resources | Missing role binding | Create appropriate RoleBinding or ClusterRoleBinding |
| "Forbidden" errors in pod logs | Insufficient permissions in role | Add required verbs and resources to the role definition |
| Service account token not found | Token secret not created | Create Secret with kubernetes.io/service-account-token type |
| Cross-namespace access denied | Using Role instead of ClusterRole | Use ClusterRole and ClusterRoleBinding for cross-namespace access |
| Application can't read own metadata | Missing self-inspection permissions | Add permissions for pods/self and configmaps in the same namespace |
| Service discovery not working | Missing endpoints and services permissions | Add get/list verbs for services and endpoints resources |
Next steps
- Implement network policies for pod-to-pod security
- Integrate HashiCorp Vault for advanced secrets management
- Configure ingress controllers with automated SSL certificate management
- Set up Pod Security Standards with admission controllers
- Configure Calico CNI for advanced network microsegmentation
Running this in production?
Want this handled for you? Setting up RBAC once is straightforward. Keeping it patched, monitored, backed up and tuned across environments is the harder part. See how we run infrastructure like this for European SaaS and e-commerce teams.
Automated install script
Run this to automate the entire setup
install.sh
#!/usr/bin/env bash
set -euo pipefail
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
# Global variables
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
NAMESPACE="${1:-rbac-demo}"
TEMP_DIR=""
# Usage message
usage() {
echo "Usage: $0 [namespace]"
echo " namespace: Kubernetes namespace for RBAC demo (default: rbac-demo)"
echo "Example: $0 my-rbac-test"
exit 1
}
# Cleanup function
cleanup() {
local exit_code=$?
if [[ $exit_code -ne 0 ]]; then
echo -e "${RED}[ERROR] Script failed. Cleaning up...${NC}"
if [[ -n "$TEMP_DIR" && -d "$TEMP_DIR" ]]; then
rm -rf "$TEMP_DIR"
fi
if kubectl get namespace "$NAMESPACE" &>/dev/null; then
echo -e "${YELLOW}[CLEANUP] Removing namespace $NAMESPACE...${NC}"
kubectl delete namespace "$NAMESPACE" --ignore-not-found=true
fi
fi
if [[ -n "$TEMP_DIR" && -d "$TEMP_DIR" ]]; then
rm -rf "$TEMP_DIR"
fi
}
# Error handler
error_handler() {
echo -e "${RED}[ERROR] Command failed on line $1${NC}"
cleanup
exit 1
}
trap 'error_handler ${LINENO}' ERR
trap cleanup EXIT
# Progress counter
STEP=1
TOTAL_STEPS=8
progress() {
echo -e "${BLUE}[$STEP/$TOTAL_STEPS] $1${NC}"
((STEP++))
}
success() {
echo -e "${GREEN}[SUCCESS] $1${NC}"
}
warning() {
echo -e "${YELLOW}[WARNING] $1${NC}"
}
# Check if argument is help
if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
usage
fi
# Validate namespace name
if [[ ! "$NAMESPACE" =~ ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ ]]; then
echo -e "${RED}[ERROR] Invalid namespace name. Must be lowercase alphanumeric with hyphens.${NC}"
exit 1
fi
progress "Checking prerequisites and detecting system..."
# Check if running as root or with sudo
if [[ $EUID -eq 0 ]]; then
warning "Running as root. This script should be run as a regular user with kubectl access."
fi
# Detect distribution
if [[ ! -f /etc/os-release ]]; then
echo -e "${RED}[ERROR] Cannot detect Linux distribution${NC}"
exit 1
fi
. /etc/os-release
case "$ID" in
ubuntu|debian)
PKG_MGR="apt"
PKG_INSTALL="apt install -y"
PKG_UPDATE="apt update"
;;
almalinux|rocky|centos|rhel|ol|fedora)
PKG_MGR="dnf"
PKG_INSTALL="dnf install -y"
PKG_UPDATE="dnf check-update || true"
;;
amzn)
PKG_MGR="yum"
PKG_INSTALL="yum install -y"
PKG_UPDATE="yum check-update || true"
;;
*)
echo -e "${RED}[ERROR] Unsupported distribution: $ID${NC}"
exit 1
;;
esac
echo "Detected distribution: $PRETTY_NAME"
echo "Package manager: $PKG_MGR"
# Check for kubectl
if ! command -v kubectl &> /dev/null; then
echo -e "${RED}[ERROR] kubectl is not installed. Please install kubectl first.${NC}"
exit 1
fi
progress "Verifying Kubernetes cluster access and RBAC..."
# Check cluster access
if ! kubectl cluster-info &> /dev/null; then
echo -e "${RED}[ERROR] Cannot connect to Kubernetes cluster. Check your kubeconfig.${NC}"
exit 1
fi
# Check RBAC status
if ! kubectl auth can-i list pods --as=system:anonymous &> /dev/null; then
success "RBAC is properly enabled (anonymous access denied)"
else
warning "RBAC might not be properly configured (anonymous access allowed)"
fi
# Check authorization mode
AUTH_MODE=$(kubectl cluster-info dump 2>/dev/null | grep -i "authorization-mode" | head -1 || echo "")
if [[ "$AUTH_MODE" == *"RBAC"* ]]; then
success "RBAC authorization mode is enabled"
else
warning "Could not verify RBAC authorization mode"
fi
progress "Creating namespace: $NAMESPACE..."
# Create namespace
kubectl create namespace "$NAMESPACE" --dry-run=client -o yaml | kubectl apply -f -
success "Namespace $NAMESPACE created or already exists"
progress "Creating temporary directory and YAML files..."
TEMP_DIR=$(mktemp -d)
chmod 755 "$TEMP_DIR"
# Create service accounts YAML
cat > "$TEMP_DIR/serviceaccounts.yaml" << 'EOF'
apiVersion: v1
kind: ServiceAccount
metadata:
name: pod-reader
namespace: NAMESPACE_PLACEHOLDER
labels:
app: rbac-demo
role: reader
annotations:
description: "Service account for reading pod information"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: deployment-manager
namespace: NAMESPACE_PLACEHOLDER
labels:
app: rbac-demo
role: manager
annotations:
description: "Service account for managing deployments"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cluster-admin-sa
namespace: NAMESPACE_PLACEHOLDER
labels:
app: rbac-demo
role: admin
annotations:
description: "Service account with cluster-wide admin privileges"
EOF
# Replace namespace placeholder
sed -i "s/NAMESPACE_PLACEHOLDER/$NAMESPACE/g" "$TEMP_DIR/serviceaccounts.yaml"
# Create cluster roles YAML
cat > "$TEMP_DIR/clusterroles.yaml" << 'EOF'
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-reader-role
labels:
app: rbac-demo
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: deployment-manager-role
labels:
app: rbac-demo
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: namespace-admin-role
labels:
app: rbac-demo
rules:
- apiGroups: [""]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["apps"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["extensions"]
resources: ["*"]
verbs: ["*"]
EOF
# Create roles YAML
cat > "$TEMP_DIR/roles.yaml" << 'EOF'
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: NAMESPACE_PLACEHOLDER
name: secret-manager
labels:
app: rbac-demo
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
EOF
sed -i "s/NAMESPACE_PLACEHOLDER/$NAMESPACE/g" "$TEMP_DIR/roles.yaml"
# Create bindings YAML
cat > "$TEMP_DIR/bindings.yaml" << 'EOF'
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: pod-reader-binding
labels:
app: rbac-demo
subjects:
- kind: ServiceAccount
name: pod-reader
namespace: NAMESPACE_PLACEHOLDER
roleRef:
kind: ClusterRole
name: pod-reader-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: deployment-manager-binding
labels:
app: rbac-demo
subjects:
- kind: ServiceAccount
name: deployment-manager
namespace: NAMESPACE_PLACEHOLDER
roleRef:
kind: ClusterRole
name: deployment-manager-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: secret-manager-binding
namespace: NAMESPACE_PLACEHOLDER
labels:
app: rbac-demo
subjects:
- kind: ServiceAccount
name: cluster-admin-sa
namespace: NAMESPACE_PLACEHOLDER
roleRef:
kind: Role
name: secret-manager
apiGroup: rbac.authorization.k8s.io
EOF
sed -i "s/NAMESPACE_PLACEHOLDER/$NAMESPACE/g" "$TEMP_DIR/bindings.yaml"
# Set proper permissions
chmod 644 "$TEMP_DIR"/*.yaml
progress "Applying service accounts..."
kubectl apply -f "$TEMP_DIR/serviceaccounts.yaml"
success "Service accounts created successfully"
progress "Applying cluster roles..."
kubectl apply -f "$TEMP_DIR/clusterroles.yaml"
success "Cluster roles created successfully"
progress "Applying namespace roles..."
kubectl apply -f "$TEMP_DIR/roles.yaml"
success "Namespace roles created successfully"
progress "Applying role bindings..."
kubectl apply -f "$TEMP_DIR/bindings.yaml"
success "Role bindings created successfully"
progress "Verifying RBAC configuration..."
echo ""
echo "=== Service Accounts ==="
kubectl get serviceaccounts -n "$NAMESPACE" -l app=rbac-demo
echo ""
echo "=== Cluster Roles ==="
kubectl get clusterroles -l app=rbac-demo
echo ""
echo "=== Roles ==="
kubectl get roles -n "$NAMESPACE" -l app=rbac-demo
echo ""
echo "=== Cluster Role Bindings ==="
kubectl get clusterrolebindings -l app=rbac-demo
echo ""
echo "=== Role Bindings ==="
kubectl get rolebindings -n "$NAMESPACE" -l app=rbac-demo
echo ""
echo "=== Testing Permissions ==="
# Test pod-reader permissions
if kubectl auth can-i list pods --as=system:serviceaccount:$NAMESPACE:pod-reader; then
success "pod-reader can list pods (as expected)"
else
warning "pod-reader cannot list pods (unexpected)"
fi
# Test deployment-manager permissions
if kubectl auth can-i create deployments --as=system:serviceaccount:$NAMESPACE:deployment-manager; then
success "deployment-manager can create deployments (as expected)"
else
warning "deployment-manager cannot create deployments (unexpected)"
fi
echo ""
success "RBAC configuration completed successfully!"
echo ""
echo "Next steps:"
echo "1. Test the service accounts with actual workloads"
echo "2. Use 'kubectl auth can-i' to verify specific permissions"
echo "3. Monitor cluster logs for authorization events"
echo ""
echo "Example commands:"
echo " kubectl auth can-i list pods --as=system:serviceaccount:$NAMESPACE:pod-reader"
echo " kubectl auth can-i create secrets --as=system:serviceaccount:$NAMESPACE:cluster-admin-sa -n $NAMESPACE"
echo ""
echo "To clean up:"
echo " kubectl delete namespace $NAMESPACE"
echo " kubectl delete clusterrole pod-reader-role deployment-manager-role namespace-admin-role"
echo " kubectl delete clusterrolebinding pod-reader-binding deployment-manager-binding"Review the script before running. Execute with: bash install.sh