Agent skill

implementing-rbac-for-kubernetes-cluster

Configure Kubernetes Role-Based Access Control (RBAC) to enforce least-privilege access to cluster resources. This skill covers Role/ClusterRole design, RoleBinding configuration, service account secu

View SKILL.md on GitHub Repository
Stars 0
Forks 0

Install this agent skill to your Project

npx add-skill https://github.com/autohandai/community-skills/tree/main/implementing-rbac-for-kubernetes-cluster

SKILL.md

Implementing RBAC for Kubernetes Cluster

Overview

Configure Kubernetes Role-Based Access Control (RBAC) to enforce least-privilege access to cluster resources. This skill covers Role/ClusterRole design, RoleBinding configuration, service account security, namespace isolation, and audit logging for multi-tenant Kubernetes environments.

Objectives

  • Design RBAC role hierarchy for multi-tenant clusters
  • Create granular Roles and ClusterRoles for different personas
  • Configure RoleBindings and ClusterRoleBindings with least privilege
  • Secure service accounts and limit their default permissions
  • Integrate RBAC with external identity providers (OIDC)
  • Audit and monitor RBAC usage with Kubernetes audit logs

Key Concepts

RBAC API Objects

  1. Role: Namespace-scoped permissions (pods, services, deployments within a namespace)
  2. ClusterRole: Cluster-wide permissions (nodes, namespaces, PVs, CRDs)
  3. RoleBinding: Grants Role to users/groups/serviceAccounts in a namespace
  4. ClusterRoleBinding: Grants ClusterRole cluster-wide

Kubernetes RBAC Verbs

  • get, list, watch: Read-only operations
  • create, update, patch: Write operations
  • delete, deletecollection: Destructive operations
  • impersonate: Assume identity of another user
  • escalate: Modify RBAC roles (highly privileged)
  • bind: Create RoleBindings (highly privileged)

Persona-Based Access Model

  • Cluster Admin: Full cluster management (limit to 2-3 people)
  • Namespace Admin: Full control within assigned namespace
  • Developer: Deploy and manage workloads in assigned namespace
  • Viewer: Read-only access to namespace resources
  • CI/CD Service Account: Deploy workloads, manage configmaps/secrets

Implementation Steps

Step 1: Disable Default Permissive Settings

  1. Ensure --authorization-mode=RBAC is enabled on API server
  2. Remove default cluster-admin bindings from non-admin users
  3. Disable auto-mounting of service account tokens in pods
  4. Restrict access to default service account in each namespace

Step 2: Create Custom Roles

yaml
# Developer Role - namespace scoped
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: app-team
  name: developer
rules:
- apiGroups: ["", "apps", "batch"]
  resources: ["pods", "deployments", "services", "configmaps", "jobs"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list"]  # read secrets but limit create/update
- apiGroups: [""]
  resources: ["pods/log", "pods/exec"]
  verbs: ["get", "create"]

Step 3: Bind Roles to Users/Groups

yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: developer-binding
  namespace: app-team
subjects:
- kind: Group
  name: "dev-team"
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: developer
  apiGroup: rbac.authorization.k8s.io

Step 4: Secure Service Accounts

  • Create dedicated service accounts per application
  • Disable automountServiceAccountToken for pods that don't need API access
  • Use projected service account tokens with audience and expiry
  • Bind minimum required permissions to each service account

Step 5: OIDC Integration

  1. Configure API server with OIDC flags (issuer-url, client-id, username-claim, groups-claim)
  2. Map OIDC groups to Kubernetes groups in RoleBindings
  3. Use short-lived tokens from OIDC provider
  4. Configure kubectl with OIDC authentication plugin

Step 6: Audit and Monitoring

  • Enable Kubernetes audit logging (audit-policy.yaml)
  • Log all RBAC-related events (role creation, binding changes)
  • Alert on ClusterRoleBinding creation/modification
  • Monitor for privilege escalation attempts
  • Regular review of who has cluster-admin access

Security Controls

Control NIST 800-53 Description
Access Control AC-3 RBAC enforcement
Least Privilege AC-6 Minimum necessary Kubernetes permissions
Account Management AC-2 Service account lifecycle
Audit AU-3 Kubernetes audit logging
Separation of Duties AC-5 Namespace isolation

Common Pitfalls

  • Granting cluster-admin to CI/CD pipelines
  • Using wildcard (*) verbs or resources in ClusterRoles
  • Not restricting pods/exec which allows container shell access
  • Leaving default service account with broad permissions
  • Not auditing who can create RoleBindings (privilege escalation vector)

Verification

  • All users authenticate via OIDC (no static tokens/certs)
  • No unnecessary ClusterRoleBindings to cluster-admin
  • Developers limited to their assigned namespaces
  • Service accounts use least-privilege roles
  • automountServiceAccountToken disabled by default
  • Audit logging captures RBAC changes
  • kubectl auth can-i validates expected permissions per persona

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

autohandai/community-skills

mapping-mitre-attack-techniques

Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.

0 0
Explore
autohandai/community-skills

hunting-for-spearphishing-indicators

Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.

0 0
Explore
autohandai/community-skills

analyzing-malicious-url-with-urlscan

URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat

0 0
Explore
autohandai/community-skills

implementing-zero-standing-privilege-with-cyberark

Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.

0 0
Explore
autohandai/community-skills

implementing-pam-for-database-access

Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia

0 0
Explore
autohandai/community-skills

detecting-t1003-credential-dumping-with-edr

Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.

0 0
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results