RBAC

Inspect and manage Kubernetes Role-Based Access Control resources across your connected clusters. ops0 surfaces Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings so you can audit permissions without running kubectl locally.

RBAC Resource Types

Role

Grants permissions within a specific namespace

ClusterRole

Grants permissions cluster-wide or reusable across namespaces

RoleBinding

Binds a Role or ClusterRole to subjects within a namespace

ClusterRoleBinding

Binds a ClusterRole to subjects cluster-wide

Viewing Roles

Navigate to Kubernetes → RBAC → Roles (or ClusterRoles) to see all permission definitions.

Column	Description
Name	Role name
Namespace	Namespace scope (Roles only; ClusterRoles are cluster-scoped)
Rules	Number of permission rules defined
Age	Time since creation

Role Detail

Click a Role to see all its permission rules:

Field	Description
API Groups	Which API groups the rule applies to (`""` for core, `apps`, `batch`, etc.)
Resources	Resource types (`pods`, `deployments`, `secrets`, etc.)
Verbs	Allowed actions (`get`, `list`, `watch`, `create`, `update`, `patch`, `delete`)
Resource Names	Optional — restrict rule to specific named resources

Viewing Bindings

Navigate to Kubernetes → RBAC → Bindings to see RoleBindings and ClusterRoleBindings.

Column	Description
Name	Binding name
Type	RoleBinding or ClusterRoleBinding
Role	The Role or ClusterRole being bound
Subjects	Users, groups, or service accounts granted this role
Namespace	Namespace scope (RoleBindings only)
Age	Time since creation

Subjects

Each binding lists one or more subjects:

Subject Kind	Description
User	A specific Kubernetes user identity
Group	All users belonging to a Kubernetes group
ServiceAccount	A service account in a specific namespace

ops0 Service Account

ops0 connects to each cluster using a dedicated service account with a ClusterRole that grants read access across all resource types. This is created during the cluster registration process.

ClusterRole permissions include:

nodes, pods, deployments, daemonsets, statefulsets, replicasets
jobs, cronjobs
services, ingresses, networkpolicies, endpoints
persistentvolumes, persistentvolumeclaims, storageclasses
configmaps, secrets, resourcequotas, limitranges
events, namespaces
metrics.k8s.io (for CPU/memory data)
horizontalpodautoscalers, poddisruptionbudgets

Troubleshooting

Resources not showing in ops0

ops0's service account ClusterRole may be missing permissions for that resource type. Check the ClusterRoleBinding for the ops0 service account in your cluster and compare against the permissions list above.

RBAC list shows nothing

Ensure ops0 has get, list, and watch permissions on roles, clusterroles, rolebindings, and clusterrolebindings in the rbac.authorization.k8s.io API group.

Viewing Roles

Navigate to Kubernetes → RBAC → Roles (or ClusterRoles) to see all permission definitions.

Column

Description

Name

Role name

Namespace

Namespace scope (Roles only; ClusterRoles are cluster-scoped)

Rules

Number of permission rules defined

Age

Time since creation

Role Detail

Click a Role to see all its permission rules:

Field

Description

API Groups

Which API groups the rule applies to ("" for core, apps, batch, etc.)

Resources

Resource types (pods, deployments, secrets, etc.)

Verbs

Allowed actions (get, list, watch, create, update, patch, delete)

Resource Names

Optional — restrict rule to specific named resources

Viewing Bindings

Navigate to Kubernetes → RBAC → Bindings to see RoleBindings and ClusterRoleBindings.

Column

Description

Name

Binding name

Type

RoleBinding or ClusterRoleBinding

Role

The Role or ClusterRole being bound

Subjects

Users, groups, or service accounts granted this role

Namespace

Namespace scope (RoleBindings only)

Age

Time since creation

Subjects

Each binding lists one or more subjects:

Subject Kind

Description

User

A specific Kubernetes user identity

Group

All users belonging to a Kubernetes group

ServiceAccount

A service account in a specific namespace

ops0 Service Account

ops0 connects to each cluster using a dedicated service account with a ClusterRole that grants read access across all resource types. This is created during the cluster registration process.

ClusterRole permissions include:

nodes, pods, deployments, daemonsets, statefulsets, replicasets

jobs, cronjobs

services, ingresses, networkpolicies, endpoints

persistentvolumes, persistentvolumeclaims, storageclasses

configmaps, secrets, resourcequotas, limitranges

events, namespaces

metrics.k8s.io (for CPU/memory data)

horizontalpodautoscalers, poddisruptionbudgets

Troubleshooting

Resources not showing in ops0

RBAC list shows nothing

Ensure ops0 has get, list, and watch permissions on roles, clusterroles, rolebindings, and clusterrolebindings in the rbac.authorization.k8s.io API group.