= k8s/StudyNotes/RBAC =

 * Check Access {{{
kubectl auth can-i create deployments --as dev-user
kubectl auth can-i delete nodes -as devuser --namespace=dev
}}}

 * One of the Authorizers that kube-api uses, other. Node, ABAC, RBAC, WebHook, AllowAll, DenyAll

 * e.g. {{{
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: developer
rules:
- apiGroups: [""]  # core-group/v1 , others are named.
  resources: ["pods"]
  verbs: ["list", "get"]
- apiGroups: [""]  
  resources: ["pods"]
  verbs: ["list", "get", "create", "update", "delete"]
  resourceNames: ["bluepod", "orangepod"]  #<- limit to specific pods
- apiGroups: [""]  # core-group/v1 , others are named.
  resources: ["ConfigMap"]
  verbs: ["create"]
}}}

 * RoleBinding binds user to rule {{{
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata"
  name: devuser-developer-binding
subjects:
- kind: User
  name: dev-user
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: developer
  apiGroup: rbac.authorization.k8s.io
}}}
 * View with {{{
kubectl get roles
kubectl get rolebindings
kubectl describe role developer
}}}