RBAC Aggregation

ClusterRoles can aggregate. The pattern.

Idea

RBAC aggregation is a Kubernetes feature that lets a ClusterRole be defined as the union of other ClusterRoles. The pattern is useful for extensibility: operators can extend admin roles by adding their own permissions; consumers bind to the aggregated role and pick up the operators' permissions automatically.

What aggregation provides:

• AggregationRule combines other ClusterRoles.: The aggregated ClusterRole has an aggregationRule that selects other ClusterRoles by labels. The selected roles' rules are combined into the aggregated role's effective permissions.
• Single binding; multiple roles.: A user or service account bound to the aggregated role gets the permissions of all the selected roles. The binding is one operation; the permissions are the union.
• Dynamic.: When new ClusterRoles are added with the matching labels, they are automatically included in the aggregated role. The permissions extend dynamically; the binding does not need to be updated.
• Operator-friendly.: Custom Kubernetes operators can ship ClusterRoles with the appropriate labels. Existing aggregated roles automatically include the operator's permissions; the operator integrates without binding changes.
• Standard pattern.: Many built-in Kubernetes ClusterRoles use aggregation. The cluster-admin role aggregates many other roles; the pattern is familiar to anyone reading Kubernetes RBAC.

The idea is powerful but requires discipline. The dynamic nature is a feature and a risk.

Use

The typical use is extending admin or read-only roles. Operators ship their own role definitions; the aggregated admin role automatically includes them; new operators integrate without manual permission management.

• Custom "admin" role aggregates multiple controllers' admin roles.: The team's admin role aggregates roles from various operators. Cert-manager admin, ingress admin, monitoring admin all are included; users bound to the aggregated admin role can manage all of them.
• Operators add their permissions automatically.: When a new operator is installed, it ships ClusterRoles with the aggregation labels. The aggregated admin role picks them up; users bound to admin can administer the new operator.
• Reduces binding management.: The team does not have to bind users to each operator's admin role separately. The aggregated role is the single point of binding; the management is centralized.
• Read-only aggregation.: Similar pattern for read-only roles. Users with read access to most things; new operators' read roles are automatically included.
• Scope by selector.: The aggregation rule's selector determines what is included. Different selectors can produce different aggregated roles; the team controls scope.

The use is the value. Without aggregation, RBAC management for extensive operator deployments becomes burdensome; with aggregation, it scales.

Test

The dynamic nature is a risk. Aggregated roles can grow in unexpected ways; new operators with matching labels add permissions automatically; the principal of least privilege requires verification.

• Aggregated roles can grow unexpectedly.: When a new operator with matching labels is installed, the aggregated role grows. The expansion is automatic; the team may not notice.
• Audit.: The team audits aggregated roles periodically. What permissions are currently included? What ClusterRoles are aggregated? The audit produces visibility.
• Verify scope.: The audit verifies the aggregated permissions are appropriate. Permissions that should not be in the aggregated role are removed (by adjusting labels or selectors); the principle of least privilege is preserved.
• Track new aggregations.: When new ClusterRoles are added that aggregate, the team is notified. The notification produces a review opportunity; unintended additions are caught.
• Document the aggregation strategy.: The team documents which roles aggregate what, and why. New team members understand the system; future audits build on the documentation.

RBAC aggregation is one of those Kubernetes features that pays off for teams running many operators. Nova AI Ops integrates with cluster RBAC, surfaces aggregated role membership, and produces the audit-ready visibility that the security team uses to verify the principle of least privilege.