Role and ClusterRole

The Role is for a namespace and ClusterRole is for entire cluster.

A role maps the permissions to an object.

Below role indicates get and list permissions to object Pod inside the namespace default.

kubectl create role myaccrole --verb=get --verb=list --resource=pod --dry-run=client -o yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: null
  name: myaccrole
  namespace: default
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list

Below ClusterRole is same as Role, but the difference here is that the ClusterRole can be assigned to many namespaces.

kubectl create clusterrole myaccrole --verb=get --verb=list --resource=pod --dry-run=client -o yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: myaccrole
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list