The Document explains how we can restrict a Linux user to a specific Kubernetes namespace with Role-based access control (RBAC). Kubernetes RBAC is powered by key resources such as Role and Role Binding to limit a user or a group to a specific namespace.

A Role always sets permissions within a particular namespace, when creating a Role we have to specify the namespace it belongs in.

A Role Binding binds users to a  role thereby granting the permissions defined in a role to a user or set of users. It holds a list of subjects (users, groups or service accounts), and a reference to the role being granted. A RoleBinding grants permissions within a specific namespace.


Below are the steps to implement RBAC policies in a cluster for an authenticated user to access only a specific namespace.


  • Logging Into the Server
    SSH into your server as the root user:
Copy to Clipboard
  • User Creation
    Use the useradd command to add a new user to your system:
Copy to Clipboard


  • Namespace creation (if you haven’t done so already):

Copy to Clipboard


  • Create TLS Certificates for the User

    The following commands will show you how to create a private key and CSR. It is very important to set the CN attribute of CSR.

Copy to Clipboard

Note: Can’t load ./.rnd into RNG 10504:error:2406F079:random number generator:RAND_load_file:Cannotopen file:crypto\rand\randfile.c:98:Filename=./.rnd

Try removing or commenting RANDFILE = $ENV::HOME/.rnd line in /etc/ssl/openssl.cnf

  • Create a certificate signing request (CSR) for the user with the below$ vi john-csr.yaml

Copy to Clipboard

Note: please paste the output

$ (cat  john.csr | base64 | tr -d “\n”)

$ Kubectl apply -f john-csr.yaml

  • Create a certificate signing request (CSR) for the user with the below
Copy to Clipboard
  • Create a Kubernetes configuration file for the new user:

    $ vi john.conf

Copy to Clipboard

Note: please replace “$ ()” with its actual values and cluster_name can be found by running the command ‘kubectl config get-contexts’

  • Create directory .kube/   in the user directory

Copy to Clipboard
  • Copy the above <user_name>.conf to .kube/config
Copy to Clipboard

Note: <DIR> the directory of conf file that is  created for the <user_name>

  •  Set permission for config file 

Copy to Clipboard
  • Create Role manifest for setting permission for the user
    $ vi john-role.yaml
Copy to Clipboard

$kubectl apply -f john-role.yaml

  • Create Role-binding manifest for binding  permission to the user
    $vi john-RoleBinding.yaml
Copy to Clipboard

$kubectl apply -f john-RoleBinding.yaml


We can restrict a user or a group to a specific namespace with a set of permissions in a cluster with Kubernetes RBAC. This increases security in Kubernetes infrastructure.