You are looking at the documentation of a prior release. To read the documentation of the latest release, please
visit here.
New to KubeDB? Please start here.
Using Custom RBAC Resources
KubeDB supports finer user control over role based access permissions provided to a Neo4j instance. This tutorial will show you how to use KubeDB to run Neo4j instance with custom RBAC resources.
Before You Begin
Prerequisites: A running Kubernetes cluster with KubeDB installed. See the quickstart guide if you need to set up your environment.
$ kubectl create ns demo
namespace/demo created
Overview
KubeDB allows users to provide custom RBAC resources, namely, ServiceAccount, Role, and RoleBinding for Neo4j. This is provided via the spec.podTemplate.spec.serviceAccountName field in Neo4j CRD.
Custom RBAC for Neo4j
At first, let’s create a Service Account in demo namespace.
$ kubectl create serviceaccount -n demo my-custom-serviceaccount
serviceaccount/my-custom-serviceaccount created
Now, we need to create a role that has necessary access permissions for the Neo4j database named quick-neo4j.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: my-custom-role
namespace: demo
rules:
- apiGroups:
- apps
resourceNames:
- quick-neo4j
resources:
- petsets
verbs:
- get
- apiGroups:
- kubedb.com
resourceNames:
- quick-neo4j
resources:
- neo4js
verbs:
- get
- apiGroups:
- ""
resources:
- pods
verbs:
- list
- patch
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
- update
$ kubectl apply -f https://github.com/kubedb/docs/raw/v2026.6.5-rc.1/docs/examples/neo4j/custom-rbac/neo4j-custom-role.yaml
role.rbac.authorization.k8s.io/my-custom-role created
Now create a RoleBinding to bind this Role with the already created service account.
$ kubectl create rolebinding my-custom-rolebinding \
--role=my-custom-role \
--serviceaccount=demo:my-custom-serviceaccount \
--namespace=demo
rolebinding.rbac.authorization.k8s.io/my-custom-rolebinding created
Now, create a Neo4j CRD specifying spec.podTemplate.spec.serviceAccountName field to my-custom-serviceaccount.
apiVersion: kubedb.com/v1alpha2
kind: Neo4j
metadata:
name: quick-neo4j
namespace: demo
spec:
version: "2025.12.1"
replicas: 3
storageType: Durable
podTemplate:
spec:
serviceAccountName: my-custom-serviceaccount
storage:
storageClassName: "standard"
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
deletionPolicy: WipeOut
$ kubectl apply -f https://github.com/kubedb/docs/raw/v2026.6.5-rc.1/docs/examples/neo4j/custom-rbac/neo4j-custom-db.yaml
neo4j.kubedb.com/quick-neo4j created
Check that the pod is running:
$ kubectl get pod -n demo quick-neo4j-0
NAME READY STATUS RESTARTS AGE
quick-neo4j-0 1/1 Running 0 3m
Cleaning up
To cleanup the Kubernetes resources created by this tutorial, run:
kubectl patch -n demo neo4j/quick-neo4j -p '{"spec":{"deletionPolicy":"WipeOut"}}' --type="merge"
kubectl delete -n demo neo4j/quick-neo4j
kubectl delete -n demo serviceaccount my-custom-serviceaccount
kubectl delete -n demo role my-custom-role
kubectl delete -n demo rolebinding my-custom-rolebinding
kubectl delete ns demo