Skip to content

Atlas Entry

Atlas: RBAC Forbidden

kubectl actions fail with ‘forbidden’ or workloads fail due to denied API calls.

Back to AtlasLabsOperations Handbook

Text

Symptom → evidence → resolution.

Symptom

kubectl actions fail with ‘forbidden’ or workloads fail due to denied API calls.

SecurityRBACOperations

What this usually means

The authenticated identity does not have permission for the requested verb/resource in the requested scope. The system is not confused; the policy is explicit.

What to inspect first

Prove identity, then test the exact action.

  • Avoid guesswork based on group names.
  • Test the exact scope: namespace vs cluster.

kubectl

shell

kubectl auth whoami
kubectl auth can-i <verb> <resource> -n <ns>

Resolution guidance

Grant the smallest permission required in the narrowest scope that matches intent.

  • Prefer Role + RoleBinding in the target namespace.
  • Use ClusterRoleBindings with restraint; they widen blast radius and audit burden.
  • Document why the permission exists and who owns it.
  • Define break-glass explicitly; avoid silent escalation.

Related

Next

Link

Lab: RBAC Forbidden Triage

Continue with the linked text.

Next

Link

Codex Gigas: RBAC and the Governance of Power

Continue with the linked text.

Next

Link

Topic map: Security

Continue with the linked text.

Canonical link

Canonical URL: /atlas/rbac-forbidden