concept ClusterRoles in category kubernetes
This is an excerpt from Manning's book Kubernetes in Action.
As you can see from the figure, multiple RoleBindings can exist in a single name-space (this is also true for Roles). Likewise, multiple ClusterRoleBindings and Cluster-Roles can be created. Another thing shown in the figure is that although RoleBindings are namespaced, they can also reference ClusterRoles, which aren’t.
Listing 12.17. Listing all ClusterRoleBindings and ClusterRoles
$ kubectl get clusterrolebindings NAME AGE cluster-admin 1d system:basic-user 1d system:controller:attachdetach-controller 1d ... system:controller:ttl-controller 1d system:discovery 1d system:kube-controller-manager 1d system:kube-dns 1d system:kube-scheduler 1d system:node 1d system:node-proxier 1d $ kubectl get clusterroles NAME AGE admin 1d cluster-admin 1d edit 1d system:auth-delegator 1d system:basic-user 1d system:controller:attachdetach-controller 1d ... system:controller:ttl-controller 1d system:discovery 1d system:heapster 1d system:kube-aggregator 1d system:kube-controller-manager 1d system:kube-dns 1d system:kube-scheduler 1d system:node 1d system:node-bootstrapper 1d system:node-problem-detector 1d system:node-proxier 1d system:persistent-volume-provisioner 1d view 1d !@%STYLE%@! {"css":"{\"css\": \"font-weight: bold;\"}","target":"[[{\"line\":0,\"ch\":0},{\"line\":0,\"ch\":33}],[{\"line\":14,\"ch\":0},{\"line\":14,\"ch\":26}]]"} !@%STYLE%@!
As you’ve learned throughout the book, certain resources aren’t namespaced at all (this includes Nodes, PersistentVolumes, Namespaces, and so on). We’ve also mentioned the API server exposes some URL paths that don’t represent resources (/healthz for example). Regular Roles can’t grant access to those resources or non-resource URLs, but ClusterRoles can.