Skip to main content

Kubernetes RBAC Least Privilege

Designing roles and bindings so developers and automation have minimum required API permissions.


Kubernetes RBAC Least Privilege

Principles

  1. Namespace isolation Teams operate in dedicated namespaces
  2. No cluster-admin for apps Reserve for break-glass platform SREs
  3. Separate CI roles Deploy-only SA per environment
  4. Audit RBAC Review ClusterRoleBinding quarterly

Example: deploy-only role

apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: payments-prod name: cicd-deploy rules: - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "watch", "update", "patch"]

Anti-patterns

PatternRisk
cluster-admin for CI tokenFull cluster compromise if leaked
Wildcard verbs on secretsCredential theft
Shared namespace for prod/stageBlast radius

Tooling

  • kubectl auth can-i --list --as=system:serviceaccount:ns:sa
  • RBAC visualization tools (e.g. rbac-lookup, Polaris)