RBAC
Inspect and manage Kubernetes Role-Based Access Control resources across your connected clusters. ops0 surfaces Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings so you can audit permissions without running kubectl locally.
RBAC Resource Types
Role
Grants permissions within a specific namespace
ClusterRole
Grants permissions cluster-wide or reusable across namespaces
RoleBinding
Binds a Role or ClusterRole to subjects within a namespace
ClusterRoleBinding
Binds a ClusterRole to subjects cluster-wide
Viewing Roles
Navigate to Kubernetes → RBAC → Roles (or ClusterRoles) to see all permission definitions.
| Column | Description |
|---|---|
| Name | Role name |
| Namespace | Namespace scope (Roles only; ClusterRoles are cluster-scoped) |
| Rules | Number of permission rules defined |
| Age | Time since creation |
Role Detail
Click a Role to see all its permission rules:
| Field | Description |
|---|---|
| API Groups | Which API groups the rule applies to ("" for core, apps, batch, etc.) |
| Resources | Resource types (pods, deployments, secrets, etc.) |
| Verbs | Allowed actions (get, list, watch, create, update, patch, delete) |
| Resource Names | Optional — restrict rule to specific named resources |
Viewing Bindings
Navigate to Kubernetes → RBAC → Bindings to see RoleBindings and ClusterRoleBindings.
| Column | Description |
|---|---|
| Name | Binding name |
| Type | RoleBinding or ClusterRoleBinding |
| Role | The Role or ClusterRole being bound |
| Subjects | Users, groups, or service accounts granted this role |
| Namespace | Namespace scope (RoleBindings only) |
| Age | Time since creation |
Subjects
Each binding lists one or more subjects:
| Subject Kind | Description |
|---|---|
| User | A specific Kubernetes user identity |
| Group | All users belonging to a Kubernetes group |
| ServiceAccount | A service account in a specific namespace |
ops0 Service Account
ops0 connects to each cluster using a dedicated service account with a ClusterRole that grants read access across all resource types. This is created during the cluster registration process.
ClusterRole permissions include:
nodes,pods,deployments,daemonsets,statefulsets,replicasetsjobs,cronjobsservices,ingresses,networkpolicies,endpointspersistentvolumes,persistentvolumeclaims,storageclassesconfigmaps,secrets,resourcequotas,limitrangesevents,namespacesmetrics.k8s.io(for CPU/memory data)horizontalpodautoscalers,poddisruptionbudgets
Troubleshooting
Resources not showing in ops0
ops0's service account ClusterRole may be missing permissions for that resource type. Check the ClusterRoleBinding for the ops0 service account in your cluster and compare against the permissions list above.
RBAC list shows nothing
Ensure ops0 has
get, list, and watch permissions on roles, clusterroles, rolebindings, and clusterrolebindings in the rbac.authorization.k8s.io API group.