Role-Based Access Control (RBAC) is a fundamental security mechanism in Kubernetes for regulating access to API resources. It operates on four key API objects: Role, ClusterRole, RoleBinding, and ClusterRoleBinding. A Role or ClusterRole contains rules that represent a set of permissions, defining which actions (verbs like get, list, create) are allowed on specific resources (like pods, deployments). A RoleBinding or ClusterRoleBinding then grants these defined permissions to a set of subjects (users, groups, or ServiceAccounts), effectively connecting a role to a user.

A. RBAC explicitly supports namespace isolation through Roles and RoleBindings, which are namespaced objects. ClusterRoles and ClusterRoleBindings operate at the cluster scope.

B. The purpose of RBAC is to enforce the principle of least privilege by restricting access, not to grant unrestricted access by default.

C. RBAC permissions can be configured for any Kubernetes API resource (e.g., Services, Deployments, Nodes, Secrets), not just Pods.

1. Kubernetes Official Documentation

"Using RBAC Authorization": The "API Objects" section details the four primary RBAC objects. It states

"An RBAC Role or ClusterRole contains rules that represent a set of permissions... A RoleBinding grants the permissions defined in a role to a user or set of users." This directly supports the correct answer (D) and refutes the incorrect ones by explaining the distinct functions of namespaced (Role) and cluster-scoped (ClusterRole) objects (refuting A) and their application to various resources (refuting C).

Reference: Kubernetes Authors. (2023). Using RBAC Authorization. Kubernetes Documentation. Retrieved from https://kubernetes.io/docs/reference/access-authn-authz/rbac/#api-objects

2. University of California

Berkeley

CS 162: Operating Systems and System Programming

Lecture 22: The lecture notes on Kubernetes describe its security model

including RBAC. It explains that RBAC allows administrators to define roles with specific permissions (e.g.

read-only access to pods in a namespace) and bind them to users

which aligns with the principle of granular access control.

Reference: Kubiatowicz

J.

& Culler

D. (2022). Lecture 22: Cloud Computing II: Kubernetes. EECS Department

University of California

Berkeley. Slide 68-70. Retrieved from https://cs162.eecs.berkeley.edu/static/lectures/22-Cloud2.pdf

3. Peer-Reviewed Academic Publication: In "A Comprehensive Security Assessment of Kubernetes

" the authors analyze the RBAC mechanism. They state

"RBAC allows administrators to define roles with specific permissions and then assign these roles to users or groups... A role contains a set of rules that define the allowed operations (verbs) on a set of resources." This academic analysis confirms that RBAC's core function is to grant specific permissions via roles and bindings.

Reference: Al-Dhuraid

B.

Diekmann

N.

& Yampolskiy

M. (2021). A Comprehensive Security Assessment of Kubernetes. IEEE Access

9

61136-61155. Section III-B

"Authorization". DOI: https://doi.org/10.1109/ACCESS.2021.3073986