can kubernetes role override clusterrole?

Question

For example I have a role that gives permission to user get list of pods from specific namespace. And I have a clusterRole that gives permission to user get list of pods from all namespaces.

can user get all pods from all namespaces? or does role override clusterRole because role is more specific?

I know this doesn't make sense. But what if I do it by mistake?

Answer 1

As per https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole

Permissions are purely additive (there are no "deny" rules).

That means you can't get less rights, only more if user is bound to multiple Roles or ClusterRoles