Role-Based Access Control lets administrators regulate access to cluster resources through a set of authorisation records. The permission model is simple: permissions are granted for a given API group, resource type and verb against a cluster User or Group. The only permission is allow: it's not possible to override general permissions granted to a wider group on a per-user basis.
|Scope||Role resource||Binding resource|
Roles and ClusterRoles define a list of permissions for different API methods. RoleBindings and ClusterRoleBindings associate these rules to Users and Groups.
ClusterRole and ClusterRoleBinding resources aren't namespaced, and their assignments are cluster-wide. Roles and RoleBindings are namespaced and are effective only within the namespace in which they exist.
User and Group aren't API resources, though
subject references in RoleBindings and ClusterRoleBindings may make them seem like it; see authentication.