#RBAC

2 posts

K8s Advanced #2: RBAC / ServiceAccount in Depth — Aggregated ClusterRole / Impersonation / IRSA / Workload Identity
11 min read

K8s Advanced #2: RBAC / ServiceAccount in Depth — Aggregated ClusterRole / Impersonation / IRSA / Workload Identity

[Intermediate #7](/en/posts/k8s-intermediate-7) covered the four RBAC objects and the ServiceAccount model. On top of that, there's more depth encountered in operational clusters. Aggregated ClusterRole that makes ClusterRoles extensible by composing them via labels, Impersonation that temporarily acts as another user's permission, the flow where ServiceAccount tokens shifted from legacy secrets to projected tokens, and EKS's IRSA and GKE's Workload Identity that tie K8s ServiceAccounts to cloud IAM — one more layer of the permission model in depth.

K8s Intermediate #7: RBAC / NetworkPolicy / ResourceQuota — Security and Resource Policy
22 min read

K8s Intermediate #7: RBAC / NetworkPolicy / ResourceQuota — Security and Resource Policy

The final post in the K8s Intermediate series. Through [#6](/en/posts/k8s-intermediate-6) we covered the workload operations model — controllers, persistent data, external entry points, resource model, health checks, autoscaling. This post covers the three objects `RBAC`, `NetworkPolicy`, and `ResourceQuota` that fill the last gap of multi-tenant operation, where multiple teams and environments share one cluster. The three dimensions of who can create objects, what traffic flows, and how much can be made are all bundled as namespace-level policy, and the real value of Namespace briefly noted in [Basics #7](/en/posts/k8s-basics-7) is unfolded by these three objects. Since this is the last post in the series, a 7-post retrospective and a preview of the next track (K8s Advanced) is also included.