<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Rbac on Ethan-ZYF</title><link>https://ethanzyf.com/tags/rbac/</link><description>Recent content in Rbac on Ethan-ZYF</description><generator>Hugo</generator><language>en-us</language><lastBuildDate>Mon, 18 May 2026 00:00:00 -0700</lastBuildDate><atom:link href="https://ethanzyf.com/tags/rbac/index.xml" rel="self" type="application/rss+xml"/><item><title>Week2 Day 1: K8s security — Pod Security Standards + RBAC</title><link>https://ethanzyf.com/blog/week2-day1-k8s-psa-rbac/</link><pubDate>Mon, 18 May 2026 00:00:00 -0700</pubDate><guid>https://ethanzyf.com/blog/week2-day1-k8s-psa-rbac/</guid><description>&lt;p&gt;A first hands-on pass at Kubernetes-native security: how Pod Security Admission (PSA) actually attaches to namespaces via labels (and silently fails-open when the label is misspelled), why &lt;code&gt;runAsNonRoot: true&lt;/code&gt; is necessary but not sufficient (the image&amp;rsquo;s &lt;code&gt;USER&lt;/code&gt; still has to be non-root), the four-field minimum a pod needs to clear the &lt;code&gt;restricted&lt;/code&gt; profile, and the full RBAC mental model — &lt;code&gt;Role&lt;/code&gt;/&lt;code&gt;ClusterRole&lt;/code&gt; × &lt;code&gt;RoleBinding&lt;/code&gt;/&lt;code&gt;ClusterRoleBinding&lt;/code&gt; as &lt;strong&gt;two independent dimensions&lt;/strong&gt; that produce four combinations (one of which K8s rejects outright), why RBAC evaluation is &lt;strong&gt;union, not override&lt;/strong&gt;, and the asymmetry that makes RBAC fail-closed while PSA fails open.&lt;/p&gt;</description></item></channel></rss>