Asi implementing-rbac-hardening-for-kubernetes
Harden Kubernetes Role-Based Access Control by implementing least-privilege policies, auditing role bindings, eliminating cluster-admin sprawl, and integrating external identity providers.
install
source · Clone the upstream repo
git clone https://github.com/plurigrid/asi
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/plurigrid/asi "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/asi/skills/implementing-rbac-hardening-for-kubernetes" ~/.claude/skills/plurigrid-asi-implementing-rbac-hardening-for-kubernetes && rm -rf "$T"
manifest:
plugins/asi/skills/implementing-rbac-hardening-for-kubernetes/SKILL.mdsource content
Implementing RBAC Hardening for Kubernetes
Overview
Kubernetes RBAC regulates access to cluster resources based on roles assigned to users, groups, and service accounts. Default configurations often grant excessive permissions, and without active hardening, RBAC becomes a primary attack vector for privilege escalation, lateral movement, and data exfiltration. Hardening requires implementing least-privilege principles, eliminating unnecessary ClusterRole bindings, separating service accounts, integrating external identity providers, and continuous auditing.
When to Use
- When deploying or configuring implementing rbac hardening for kubernetes capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- Kubernetes cluster v1.24+ with RBAC enabled (default since v1.6)
- kubectl access with cluster-admin for initial audit
- External identity provider (OIDC) for user authentication
- Audit logging enabled on the API server
Core Hardening Principles
1. Eliminate cluster-admin Sprawl
Audit and remove unnecessary cluster-admin bindings:
# List all cluster-admin bindings kubectl get clusterrolebindings -o json | jq -r ' .items[] | select(.roleRef.name == "cluster-admin") | "\(.metadata.name) -> \(.subjects[]? | "\(.kind)/\(.name) (\(.namespace // "cluster"))")" '
2. Namespace-Scoped Roles Over ClusterRoles
Use Role and RoleBinding instead of ClusterRole and ClusterRoleBinding:
# Good: Namespace-scoped role apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: application name: app-developer rules: - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "watch", "create", "update", "patch"] - apiGroups: [""] resources: ["pods", "pods/log"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: namespace: application name: app-developer-binding subjects: - kind: Group name: dev-team apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: app-developer apiGroup: rbac.authorization.k8s.io
3. Dedicated Service Accounts Per Workload
apiVersion: v1 kind: ServiceAccount metadata: name: payment-processor namespace: payments automountServiceAccountToken: false # Disable auto-mount --- apiVersion: apps/v1 kind: Deployment metadata: name: payment-processor namespace: payments spec: template: spec: serviceAccountName: payment-processor automountServiceAccountToken: true # Only mount when explicitly needed containers: - name: processor image: payments/processor:v2.1@sha256:abc...
4. Restrict Dangerous Permissions
Block permissions that enable privilege escalation:
# Dangerous verbs/resources to restrict: # - secrets: get, list, watch (exposes all secrets in namespace) # - pods/exec: create (enables command execution in pods) # - pods: create with privileged securityContext # - serviceaccounts/token: create (generates new tokens) # - clusterroles/clusterrolebindings: create, update (self-escalation) # - nodes/proxy: create (bypasses API server authorization) # Safe read-only role example apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: security-viewer rules: - apiGroups: [""] resources: ["pods", "services", "namespaces", "nodes"] verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: ["deployments", "daemonsets", "statefulsets"] verbs: ["get", "list", "watch"] - apiGroups: ["networking.k8s.io"] resources: ["networkpolicies"] verbs: ["get", "list", "watch"]
5. OIDC Integration for User Authentication
# API server flags for OIDC integration apiVersion: v1 kind: Pod metadata: name: kube-apiserver spec: containers: - name: kube-apiserver command: - kube-apiserver - --oidc-issuer-url=https://idp.company.com - --oidc-client-id=kubernetes - --oidc-username-claim=email - --oidc-groups-claim=groups - --oidc-ca-file=/etc/kubernetes/pki/oidc-ca.crt
RBAC Audit Process
Step 1: Enumerate All Bindings
# All ClusterRoleBindings with subjects kubectl get clusterrolebindings -o json | jq -r ' .items[] | select(.subjects != null) | .subjects[] as $s | "\(.metadata.name) | \(.roleRef.name) | \($s.kind)/\($s.name)" ' | sort | column -t -s '|' # All RoleBindings across namespaces kubectl get rolebindings --all-namespaces -o json | jq -r ' .items[] | select(.subjects != null) | .subjects[] as $s | "\(.metadata.namespace) | \(.metadata.name) | \(.roleRef.name) | \($s.kind)/\($s.name)" ' | sort | column -t -s '|'
Step 2: Identify Overprivileged Service Accounts
# Find service accounts with cluster-admin or admin roles kubectl get clusterrolebindings -o json | jq -r ' .items[] | select(.roleRef.name == "cluster-admin" or .roleRef.name == "admin") | select(.subjects[]?.kind == "ServiceAccount") | "\(.subjects[] | select(.kind == "ServiceAccount") | "\(.namespace)/\(.name)")" '
Step 3: Check Default Service Account Usage
# Find pods using the default service account kubectl get pods --all-namespaces -o json | jq -r ' .items[] | select(.spec.serviceAccountName == "default" or .spec.serviceAccountName == null) | "\(.metadata.namespace)/\(.metadata.name)" '
Step 4: Verify Token Auto-Mount
# Find pods with auto-mounted service account tokens kubectl get pods --all-namespaces -o json | jq -r ' .items[] | select(.spec.automountServiceAccountToken != false) | "\(.metadata.namespace)/\(.metadata.name) sa=\(.spec.serviceAccountName // "default")" '
Tooling
rbac-lookup
# Install rbac-lookup kubectl krew install rbac-lookup # View RBAC for a specific user kubectl rbac-lookup developer@company.com # View all RBAC bindings wide format kubectl rbac-lookup --kind user -o wide
rakkess (Review Access)
# Install rakkess kubectl krew install access-matrix # Show access matrix for current user kubectl access-matrix # Show access for a specific service account kubectl access-matrix --sa payments:payment-processor