Skip to content

Lab · Intermediate

Lab: RBAC Forbidden Triage

RBAC errors are deterministic. This lab teaches you to prove identity, scope, and verb/resource, then fix the binding without over-granting.

Back to LabsTroubleshooting AtlasShrine Archive

Prerequisites

What you should have before you begin.

SecurityRBACOperations
  • kubectl access
  • Basic RBAC concepts (Role/ClusterRole, binding)
  • A sandbox namespace

Lab text

Follow the sequence. Change one thing at a time.

Goal

You will learn to turn ‘forbidden’ into an exact sentence: subject → verb → resource → namespace. Then you will grant the smallest permission required.

  • Confirm identity.
  • Confirm the denied verb/resource.
  • Grant least privilege in the correct scope.

Prove identity and the denied action

RBAC is evaluated against the authenticated subject and requested action.

  • Use `can-i` to test the exact verb/resource/namespace.
  • Avoid guessing based on group membership.

kubectl

shell

kubectl auth whoami
kubectl auth can-i get pods -n <ns>
kubectl auth can-i create deployments.apps -n <ns>

Find the binding path

Determine whether the needed permission is namespace-scoped or cluster-scoped.

  • RoleBindings apply in a namespace.
  • ClusterRoleBindings apply cluster-wide—use with restraint.

kubectl

shell

kubectl get rolebinding,clusterrolebinding -A | rg -n "<subject>|<sa-name>|<group>" || true

Apply the smallest fix

Do not grant cluster-admin to silence a single error.

  • Prefer Role + RoleBinding in the target namespace.
  • If you must use ClusterRole, bind it in the narrowest place possible.
  • Write down why the permission exists and who owns it.

Related

Next

Link

Codex Gigas: RBAC and the Governance of Power

Continue the sequence with the linked text.

Next

Link

Tenet I: The Control Plane

Continue the sequence with the linked text.

Canonical link

Canonical URL: /labs/rbac-forbidden-triage