Kubernetes RBAC Least Privilege
Designing roles and bindings so developers and automation have minimum required API permissions.
Kubernetes RBAC Least Privilege
Principles
- Namespace isolation Teams operate in dedicated namespaces
- No cluster-admin for apps Reserve for break-glass platform SREs
- Separate CI roles Deploy-only SA per environment
- Audit RBAC Review
ClusterRoleBindingquarterly
Example: deploy-only role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: payments-prod
name: cicd-deploy
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "update", "patch"]Anti-patterns
| Pattern | Risk |
|---|---|
cluster-admin for CI token | Full cluster compromise if leaked |
| Wildcard verbs on secrets | Credential theft |
| Shared namespace for prod/stage | Blast radius |
Tooling
kubectl auth can-i --list --as=system:serviceaccount:ns:sa- RBAC visualization tools (e.g. rbac-lookup, Polaris)