Kubernetes security is often discussed in terms of “hardening the cluster,” but day-to-day risk usually comes from something simpler: overly broad permissions. If a developer’s kubeconfig can delete production workloads, or a CI job can create cluster-wide resources, a single mistake—or a compromised credential—can become a cluster-wide incident.
Kubernetes Role-Based Access Control (RBAC) is the built-in authorization system that answers a specific question after a request is authenticated: is this identity allowed to perform this action on this resource? When RBAC is designed and operated well, it becomes the guardrail that turns Kubernetes into a platform multiple teams can use safely. When it’s not, it becomes either ineffective (everyone is cluster-admin) or disruptive (permissions are guessed, and work stops).
This article focuses on implementing least privilege RBAC: granting only the permissions required for an identity (human or workload) to do its job, and nothing more. You’ll build up from the core API concepts—verbs, resources, namespaces—into real operational patterns: team namespaces, CI/CD service accounts, and read-only access for observability. Along the way, you’ll validate permissions using Kubernetes-native tooling so you can iterate safely.
How Kubernetes RBAC fits into the request flow
Before you write a single Role, it helps to understand where RBAC sits in the control plane request path. Every request to the Kubernetes API server is processed in stages. Authentication establishes who the caller is (for example, a user from an OIDC provider, a client certificate subject, or a service account token). Authorization decides whether that authenticated identity can perform the requested action. RBAC is one of the authorization modes the API server can run.
RBAC evaluates requests against policy objects stored in the cluster. These objects don’t grant access by themselves; access is granted by bindings that map identities (users, groups, service accounts) to roles (a set of allowed actions). This separation is intentional: you can define a role once and bind it to multiple identities, or bind different roles depending on environment.
It’s also worth separating RBAC from two other adjacent controls. Admission controllers can validate or mutate objects after authorization (for example, denying privileged pods or enforcing required labels). Pod Security and NetworkPolicy govern runtime behavior and traffic. RBAC primarily controls who can change what in the API, which is the foundation for controlling everything else.
RBAC building blocks: verbs, resources, scopes, and subjects
RBAC rules are expressed in terms Kubernetes understands: the HTTP request’s verb maps to a Kubernetes verb (get, list, watch, create, update, patch, delete, deletecollection). The target is a Kubernetes resource (like pods, deployments, configmaps) potentially within an API group (for example, apps for Deployments). The request might be namespaced (most workload resources) or cluster-scoped (nodes, namespaces, persistent volumes, CRDs).
The main objects you’ll work with are:
A Role: a namespaced set of rules. A Role can grant access only within a single namespace.
A ClusterRole: a cluster-scoped set of rules. Despite the name, a ClusterRole can be used for cluster-scoped resources and for namespaced resources (when bound with a RoleBinding inside a namespace).
A RoleBinding: a namespaced binding that attaches a Role or ClusterRole to subjects within one namespace.
A ClusterRoleBinding: a cluster-scoped binding that attaches a ClusterRole to subjects across the entire cluster.
Subjects are the identities RBAC can bind to: users, groups, and service accounts. Users and groups are not Kubernetes objects by default; Kubernetes trusts the authenticator to assert them. Service accounts are Kubernetes objects and are the standard identity for in-cluster workloads and automation.
This combination—rules + bindings + subjects—drives most RBAC outcomes. When troubleshooting or reviewing access, always ask: “What identity is making the call?” and “What bindings give that identity which rules, in which scope?”
Establish a least-privilege RBAC strategy before writing YAML
It’s tempting to start by copying roles from blog posts, but RBAC becomes manageable when you standardize patterns. A practical RBAC strategy answers a few operational questions.
First, decide how you will separate concerns. Most organizations use namespaces as the first layer of separation: teams or applications get their own namespaces, and cluster-level operations are limited to platform administrators.
Second, decide how identities map to work. Humans typically authenticate via an external identity provider (OIDC is common), and get group claims like team-payments or sre. Automation uses service accounts with tightly scoped permissions.
Third, define “default deny” as a cultural and operational baseline. In Kubernetes, there isn’t a single switch called “deny all,” but you can get close by ensuring you don’t bind broad roles and by auditing and removing legacy ClusterRoleBindings. Most real-world RBAC incidents happen because a broad binding existed “temporarily” and stayed.
Finally, decide how you will review and evolve RBAC. Permission needs change as apps grow. You should be able to answer “who can do X” and “what can this identity do” without guessing. You’ll use built-in commands and, ideally, policy-as-code in Git.
Inventory your current access model (and find broad bindings)
If you’re securing an existing cluster, start with what’s already bound. The most dangerous configuration is not “no RBAC,” it’s “RBAC exists but effectively everyone is admin.” In many clusters, you’ll find ClusterRoleBindings granting cluster-admin to broad groups, or to default service accounts.
List ClusterRoleBindings and look for high-privilege roles:
kubectl get clusterrolebindings -o wide
Then inspect any binding that references cluster-admin, admin, or custom roles you don’t recognize:
bash
kubectl describe clusterrolebinding <name>
Also review RoleBindings in sensitive namespaces (for example, kube-system, ingress-nginx, monitoring, or production namespaces):
bash
kubectl get rolebindings -A
kubectl describe rolebinding -n <ns> <name>
As you inventory, keep a running list of subjects (users/groups/service accounts) that have cluster-wide privileges. You will use this list later to scope down access, but don’t remove bindings blindly; first validate what those identities are used for.
A realistic scenario here is a cluster that started as a single-team environment. The initial installer bound a whole corporate group (or a wide Okta group) to cluster-admin to move fast. Months later, multiple teams deploy workloads, and production changes are made from laptops. This is exactly where RBAC provides value: keep platform operations centralized while enabling safe self-service for teams.
Map identities: users, groups, and service accounts
RBAC depends on consistent identity strings. Kubernetes does not manage “users” directly; it relies on authentication to provide a username and group list. If you’re using OIDC, those values typically come from token claims. If you’re using client certificates, the username comes from the certificate subject.
For planning RBAC, you need to know what usernames and groups Kubernetes sees. You can often infer this by looking at audit logs (if enabled) or by using kubectl auth can-i as the user. In many environments, a practical approach is to standardize on group-based access for humans and service-account-based access for automation.
For example:
group:platform-admins→ cluster-scoped operationsgroup:team-foo-devs→ read/write withinfoo-devnamespacegroup:team-foo-oncall→ read-only acrossfoo-prodplus access to logssystem:serviceaccount:foo-prod:foo-deployer→ CI deploy rights tofoo-prod
Service account identities have a deterministic format: system:serviceaccount:<namespace>:<name>. This is useful because you can reason about RBAC from manifests alone.
Understand default roles and why you should reuse them carefully
Kubernetes includes a set of default ClusterRoles such as cluster-admin, admin, edit, and view. These are convenient, but they are generic and sometimes broader than you want.
cluster-admin is effectively unrestricted.
admin is namespaced and intended for namespace administrators, but it can still include permissions you may not want every team admin to have.
edit is intended for developers to modify most namespaced resources, but it notably allows writing many objects (including ConfigMaps and Secrets in many clusters), which may be too broad for some environments.
view is read-only for most resources, often appropriate for auditors or support roles.
A safe approach is to treat these built-ins as starting points. You can reuse them in early phases, but move toward custom roles for sensitive namespaces and automation identities. The fewer identities bound to broad built-ins, the more predictable your access model becomes.
Design RBAC around namespaces as security boundaries (with clear exceptions)
Namespaces are not perfect security boundaries—kernel-level isolation is not provided—but they are strong administrative boundaries for the Kubernetes API. RBAC uses namespaces naturally: Roles and RoleBindings are namespaced.
If you’re operating a multi-team cluster, a common design is:
- Each workload gets one or more namespaces (for example,
team-a-dev,team-a-prod). - Developers get write access in dev namespaces and restricted access in prod.
- CI/CD identities get scoped write access to specific namespaces.
- Platform team gets limited cluster-scoped permissions, with a small set of trusted admins holding
cluster-admin.
The exceptions are cluster-scoped resources that teams should not manage directly: nodes, namespaces themselves, CRDs, admission webhooks, storage classes, and cluster-wide network policies. These typically remain under platform control.
This design influences how you write roles. You’ll generally prefer Roles for application teams and reserve ClusterRoles + ClusterRoleBindings for platform needs.
Create a minimal read-only Role for a namespace
A safe first custom role is a read-only role in a namespace. Even if you later add write permissions, starting with read-only helps you validate identity mapping and access without risking change.
Here’s a practical namespaced Role that permits reading common workload objects. Notice that it targets specific API groups and resources rather than using wildcards.
yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ns-observer
namespace: app-prod
rules:
- apiGroups: [""]
resources: ["pods", "services", "endpoints", "configmaps", "events"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments", "replicasets", "statefulsets", "daemonsets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["batch"]
resources: ["jobs", "cronjobs"]
verbs: ["get", "list", "watch"]
Bind it to a group that represents on-call engineers for that application:
yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: app-prod-observers
namespace: app-prod
subjects:
- kind: Group
name: team-app-oncall
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: ns-observer
apiGroup: rbac.authorization.k8s.io
This pattern shows an important operational habit: grant on-call staff the ability to see what’s happening (pods, events, controller state) without granting write access in production.
In a real environment, this is often the first step to removing broad production access. Teams can still investigate incidents quickly, while actual changes are routed through controlled deployment mechanisms.
Validate access with kubectl auth can-i (and why impersonation matters)
RBAC should be validated as you build it. Kubernetes provides kubectl auth can-i, which asks the API server’s authorization layer whether an action is allowed.
For example, to test whether a group-bound identity can list pods:
bash
kubectl auth can-i list pods -n app-prod
In day-to-day administration, you’ll often want to test without logging in as the user. If your own credentials have permission to impersonate, you can use --as and --as-group to simulate.
bash
kubectl auth can-i get deployments -n app-prod \
--as=jane.doe@example.com \
--as-group=team-app-oncall
Impersonation is powerful because it lets platform admins prove that a RoleBinding has the intended effect before rolling it out. However, impersonation itself is a sensitive capability; it should be tightly restricted because it can be used to bypass normal access pathways.
As you add more roles and bindings, keep validating the critical verbs: can the CI service account patch a deployment? Can the on-call group read events? Can developers create pods in dev but not in prod? These small checks prevent large surprises.
Build a developer write Role without granting dangerous powers
Many teams want “developer access,” which usually means they can deploy, scale, and debug their workloads. The risk is that “developer access” is often implemented as “edit everything,” which can include the ability to read or write Secrets, or create arbitrary ServiceAccounts and RoleBindings.
A safer approach is to write a custom Role that allows manipulating the workload controllers and associated resources, while explicitly limiting RBAC-related objects and (in many orgs) limiting Secrets.
Below is an example that allows managing Deployments and Pods and viewing logs, but does not include permissions for Roles/RoleBindings or Secrets. Whether to allow Secret reads is a policy choice; if your applications fetch secrets at runtime via external secret stores, developers often don’t need to read Kubernetes Secrets at all.
yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: app-deployer
namespace: app-dev
rules:
- apiGroups: ["apps"]
resources: ["deployments", "replicasets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods", "pods/exec", "pods/log"]
verbs: ["get", "list", "watch", "create"]
- apiGroups: [""]
resources: ["services", "configmaps"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["batch"]
resources: ["jobs", "cronjobs"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
Bind it to a development group:
yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: team-app-devs
namespace: app-dev
subjects:
- kind: Group
name: team-app-devs
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: app-deployer
apiGroup: rbac.authorization.k8s.io
This introduces a practical distinction: developers can change their application resources without being able to grant themselves more permissions. Preventing privilege escalation is a central theme in RBAC design.
Real-world example: separating dev velocity from prod safety
A common operational model is that developers deploy freely to *-dev namespaces but production deployments are performed by CI/CD with approval gates. In this model, developers get app-deployer in app-dev, on-call gets ns-observer in app-prod, and the CI service account gets narrowly scoped write permissions in app-prod.
The benefit is not just security; it also clarifies responsibility. When production changes happen, they happen via a controlled identity (the pipeline), making audit trails and rollbacks more reliable.
Create a CI/CD service account with scoped permissions
Automation should not use human credentials. In Kubernetes, the standard pattern is a dedicated service account per pipeline or per application/environment.
Create a service account in the namespace it will operate in:
bash
kubectl create serviceaccount app-prod-deployer -n app-prod
Then bind it to a Role designed for deployment actions. Instead of giving it broad write access to everything, think in terms of what the pipeline actually does. Many deployment tools patch Deployments, update Services, and create Jobs for migrations.
Here is an example Role that permits managing a typical set of resources needed for deployments, including the ability to update (patch) Deployments and create Jobs. It still avoids RBAC objects.
yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cicd-deployer
namespace: app-prod
rules:
- apiGroups: ["apps"]
resources: ["deployments", "replicasets"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: [""]
resources: ["services", "configmaps"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
Bind it to the service account:
yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: app-prod-cicd
namespace: app-prod
subjects:
- kind: ServiceAccount
name: app-prod-deployer
namespace: app-prod
roleRef:
kind: Role
name: cicd-deployer
apiGroup: rbac.authorization.k8s.io
If your pipeline uses Helm, Argo CD, or Flux, the exact permissions may differ, but the principle is consistent: grant only what the tool requires in the namespaces it manages.
Real-world example: pipeline compromised vs blast radius
Consider a build system compromise where an attacker gains access to the pipeline’s Kubernetes credentials. If that credential is bound to cluster-admin, the attacker can create ClusterRoleBindings, install admission webhooks, and persist indefinitely. If that credential is a service account limited to app-prod and only patching Deployments, the attacker’s blast radius is constrained to that namespace and set of actions. You might still have an incident, but it’s far more containable.
Avoid common privilege-escalation paths in RBAC
Least privilege isn’t only about “can delete pods.” It’s also about preventing identities from granting themselves more permissions indirectly.
Two RBAC-related resources are particularly sensitive: roles/rolebindings and clusterroles/clusterrolebindings. If an identity can create or modify RoleBindings, it can often bind itself (or another subject) to a powerful role and escalate.
Another sensitive capability is creating service accounts and then binding roles to them, especially when combined with the ability to create secrets or token-related resources. In modern Kubernetes, service account tokens are typically projected and not stored as long-lived secrets by default, but the broader point remains: RBAC objects plus binding authority equals privilege escalation.
A defensive rule of thumb is: application teams should generally not have write access to RBAC objects in production namespaces. If you must delegate RBAC management, do it through controlled templates, reviewed pull requests, and scoped roles that cannot bind powerful ClusterRoles.
Use ClusterRoles for consistent cross-namespace permissions
When you need the same set of permissions across many namespaces—such as a standard read-only “observer” role—it’s efficient to define a ClusterRole and bind it within each namespace via RoleBinding. This avoids duplicating role definitions.
Here’s a ClusterRole for read-only access to common workload resources:
yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: workload-viewer
rules:
- apiGroups: [""]
resources: ["pods", "services", "endpoints", "events", "namespaces"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments", "replicasets", "statefulsets", "daemonsets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["batch"]
resources: ["jobs", "cronjobs"]
verbs: ["get", "list", "watch"]
Even though the role is cluster-scoped, you can bind it per namespace:
yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: workload-viewer-binding
namespace: app-prod
subjects:
- kind: Group
name: team-app-oncall
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: workload-viewer
apiGroup: rbac.authorization.k8s.io
This gives a consistent permission set while still keeping the scope namespaced. It’s a helpful pattern for large clusters where onboarding a new namespace should be repeatable.
Know when ClusterRoleBindings are justified (and keep them rare)
ClusterRoleBindings apply cluster-wide. They are appropriate when the subject needs access to cluster-scoped resources or needs the same permissions in all namespaces.
Legitimate use cases include:
- A small platform admin group that manages nodes, namespaces, CRDs, and cluster add-ons.
- A cluster-wide read-only auditor group.
- System components (like a CNI plugin) that require cluster-scoped permissions.
But ClusterRoleBindings are also the most common source of accidental overexposure. A single binding of system:authenticated (all authenticated users) to a powerful ClusterRole can effectively turn the cluster into a shared admin environment.
As you tighten security, make it a goal to minimize ClusterRoleBindings to a small, well-understood set, and prefer RoleBindings for application access.
Treat kube-system and add-on namespaces as high sensitivity
Many cluster add-ons run in kube-system or in dedicated namespaces like ingress-nginx, cert-manager, monitoring, or external-secrets. These components often have elevated permissions because they integrate with the cluster. RBAC here is not only about humans; it’s also about ensuring add-ons have exactly what they need.
Avoid granting broad human access to these namespaces. If a developer can patch a Deployment in kube-system, they may be able to change core DNS, networking components, or metrics collection, affecting the entire cluster.
A common pattern is to grant:
- Platform admins: controlled write access to add-on namespaces.
- On-call engineers: read-only access to view health and logs.
- Application teams: no access unless explicitly required.
This is also where a well-defined break-glass process (separate from everyday credentials) can be useful, but RBAC should ensure break-glass permissions are not the default.
Control access to Secrets explicitly
Kubernetes Secrets are base64-encoded, not encrypted by default (encryption at rest is configurable, but access control still matters). From an RBAC perspective, read access to secrets usually implies access to database passwords, API keys, and other high-value credentials.
Many clusters inadvertently grant get/list on Secrets to broad roles because they reuse the built-in edit role or create developer roles that include secrets for convenience. That convenience can undermine your entire security posture.
A practical approach is:
- Only CI/CD and runtime components that truly need secret access should have it.
- Developers should not read production secrets directly.
- If developers need secrets for local development, provide separate non-prod credentials and inject them via separate mechanisms.
If you must grant Secret access, do it narrowly and explicitly:
yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: secret-reader
namespace: app-dev
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
Even in dev, prefer get over list when possible. list allows bulk extraction of secrets.
This section connects back to least privilege: a role should reflect an operational need, not a generic “developer convenience.”
Provide log and exec access deliberately
Operational debugging often requires kubectl logs and sometimes kubectl exec. These map to subresources: pods/log and pods/exec. Granting pods/exec is particularly sensitive because it enables command execution inside containers, which can be used to access in-pod credentials, pivot, or change runtime state.
A balanced model is:
- Allow
pods/logbroadly for those who support workloads. - Restrict
pods/execto trusted on-call responders, specific namespaces, and ideally non-production where possible.
Here’s an example Role that grants logs but not exec:
yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: log-reader
namespace: app-prod
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list", "watch"]
If you decide to allow exec, do it with intent and scope:
yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: incident-exec
namespace: app-prod
rules:
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
Notice that pods/exec typically uses the create verb because it initiates an exec session.
Real-world example: on-call access without permanent admin
In many organizations, on-call engineers used to request temporary cluster-admin when incidents occurred because it was the easiest way to unblock debugging. Over time, those temporary grants become permanent, and production becomes effectively writable by many.
A better pattern is to predefine on-call roles: read-only plus logs by default, and tightly scoped exec only where necessary. You can still enable escalation during an incident, but it should be explicit and time-bound, with clear review.
Restrict who can create namespaces and cluster-scoped resources
Namespace creation is often treated as harmless, but it can be an administrative control point. If users can create namespaces, they may also be able to create resources that interact with cluster-wide systems (like ingress classes or external DNS), depending on your configuration.
More importantly, many cluster-scoped resources are foundational to security: CRDs, validating/mutating webhooks, and storage classes can influence the behavior of the entire cluster.
As part of securing Kubernetes RBAC, ensure that only the platform team (or a small admin group) can:
- create/update/delete
namespaces - create/update/delete
customresourcedefinitions - manage
validatingwebhookconfigurationsandmutatingwebhookconfigurations - manage
clusterrolesandclusterrolebindings - manage
nodesandpersistentvolumes
These controls prevent a compromised namespace admin from turning into a cluster admin.
Use aggregation to manage “platform standard” roles at scale
Kubernetes supports ClusterRole aggregation via labels, where one ClusterRole can automatically include rules from other ClusterRoles that match a selector. This is useful when you want modular permissions (for example, “view + logs” or “view + port-forward”) without copying rules into many places.
Aggregation is most often used by Kubernetes’ built-in admin/edit/view roles, but you can apply the pattern to your own roles if you need composability. The key operational benefit is reducing drift: update a component role once and all aggregated roles reflect the change.
If you choose to use aggregation, treat it as a platform-level design choice and document it internally; it can be confusing during audits if engineers aren’t aware that rules are being pulled in indirectly.
Implement RBAC for multi-tenant clusters (without pretending namespaces are perfect)
A “multi-tenant cluster” typically means multiple teams share a control plane and nodes. RBAC is necessary but not sufficient: it controls the API, not runtime isolation. Still, RBAC is the first thing you must get right.
Start by making namespace access explicit: each team gets roles only in their namespaces. Avoid cross-namespace access unless there is a clear reason, such as a shared observability namespace.
Then, ensure teams cannot:
- create RoleBindings to powerful ClusterRoles
- access secrets in other namespaces
- read nodes or other cluster-scoped resources
Finally, pair RBAC with complementary controls (without turning this into a different topic): Pod Security (or equivalent admission controls) to prevent privileged workloads, and NetworkPolicy to prevent lateral traffic. RBAC prevents “API-side” escapes; admission and network controls help prevent “runtime-side” escapes.
Wire RBAC to OIDC groups for human access
Most production clusters integrate with an external identity provider (IdP) via OIDC. In that model, users authenticate with short-lived tokens and Kubernetes sees group claims in the token.
From an RBAC perspective, you want stable group names that reflect operational roles rather than individuals. Bind Roles/ClusterRoles to those groups.
A common workflow is:
- Create IdP groups such as
k8s-platform-admins,k8s-team-a-devs,k8s-team-a-oncall. - Configure the Kubernetes API server (or managed cluster integration) to pass those groups through.
- Create RoleBindings in each namespace referencing those group names.
Exact OIDC configuration varies by distribution (self-managed kube-apiserver flags vs managed offerings), so the most RBAC-relevant point is consistency: pick group names and stick to them. When names change, RBAC breaks in ways that look like outages to engineers.
Manage kubeconfig distribution and avoid shared credentials
RBAC assumes identities are meaningful. If teams share kubeconfigs or use a shared “admin” user, RBAC loses most of its value because audit trails and accountability disappear.
For humans, prefer:
- individual authentication via OIDC
- short-lived credentials
- group-based authorization via RBAC
For automation, prefer:
- dedicated service accounts
- minimal namespace scope
- rotation or short-lived tokens where possible
Also be cautious with long-lived client certificates for users. They can be hard to rotate and often end up stored in multiple places.
This operational hygiene connects directly to RBAC effectiveness: even perfectly designed Roles are undermined if credentials are shared.
Use kubectl to inspect effective permissions
After you create roles and bindings, you should be able to answer “what can this identity do?” Kubernetes provides some tooling, though it’s more ergonomic for spot checks than full audits.
You’ve already seen kubectl auth can-i. For a broader picture, you can query bindings and roles directly:
bash
kubectl get rolebindings -n app-prod -o yaml
kubectl get roles -n app-prod -o yaml
kubectl get clusterrolebindings -o yaml
kubectl get clusterroles -o yaml
In practice, engineers often combine these with searches for subject names:
bash
kubectl get rolebindings -A -o json | jq -r '.items[] | select(.subjects!=null) | select(.subjects[].name=="team-app-devs") | [.metadata.namespace,.metadata.name,.roleRef.kind,.roleRef.name] | @tsv'
This kind of query helps you detect accidental bindings (for example, the dev group being bound in prod). It also supports periodic access reviews.
Apply RBAC via GitOps or infrastructure-as-code
RBAC changes are security changes. Treat them like code: version them, review them, and roll them out consistently.
Whether you use a GitOps tool (like Argo CD or Flux) or a CI pipeline applying manifests, the key is that RBAC YAML should live in a repository with change history. This also allows you to implement structured reviews for sensitive changes, such as modifications to ClusterRoleBindings or any role that touches Secrets.
A practical pattern is to separate repositories or directories:
platform/rbac/for cluster-scoped roles and bindingsapps/<app>/namespaces/<env>/rbac/for namespaced roles and bindings
This structure reinforces the scope separation you designed earlier. It also reduces the risk of someone casually changing production access while working on an application manifest.
Secure service accounts beyond RBAC: token use and namespace defaults
Service accounts are central to Kubernetes automation. RBAC defines what they can do, but you also need to pay attention to where tokens are used.
First, avoid running application pods with overly privileged service accounts. Many workloads don’t need API access at all. If a pod doesn’t need to call the Kubernetes API, consider setting automountServiceAccountToken: false in the Pod spec (or at the service account level) to reduce the value of a pod compromise.
Second, avoid using the default service account for anything meaningful. It’s easy for RoleBindings to accidentally reference it, and it’s hard to reason about which pods are using it.
A simple operational standard is: every workload that needs API access gets a dedicated service account, and that service account has a dedicated RoleBinding.
Even though these points go slightly beyond RBAC YAML, they directly affect whether RBAC boundaries hold when something goes wrong.
Handle CRDs and custom controllers carefully
CustomResourceDefinitions (CRDs) extend the Kubernetes API. Once you add CRDs, you also introduce new RBAC surfaces: custom resources need access control too.
If you install an operator, it typically comes with ClusterRoles and bindings. You should review those manifests before applying them, because operators often require broad permissions (watching many resources, sometimes cluster-wide).
For platform teams, a practical approach is:
- Review vendor/operator RBAC for scope and necessity.
- Prefer installing operators in dedicated namespaces.
- Ensure only platform admins can install or modify CRDs and webhooks.
For application teams, ensure they are granted access only to the custom resources they need in their namespaces, not to the operator’s own management plane.
Create a controlled “namespace admin” role (instead of giving admin broadly)
Teams often want someone to manage namespace-level concerns: resource quotas, limit ranges, and some policy objects. The built-in admin role may be acceptable in some environments, but it can still be broader than you want.
A controlled namespace-admin role might allow managing:
- Deployments, Services, ConfigMaps
- ResourceQuota and LimitRange
- HorizontalPodAutoscaler
…but still avoid RBAC objects and secrets unless explicitly required.
Here’s an example Role for “namespace operations”:
yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: namespace-operator
namespace: app-dev
rules:
- apiGroups: [""]
resources: ["resourcequotas", "limitranges"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["autoscaling"]
resources: ["horizontalpodautoscalers"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["apps"]
resources: ["deployments", "replicasets", "statefulsets", "daemonsets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["services", "configmaps"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
Binding this role to a small set of namespace maintainers gives teams autonomy without giving them the keys to cluster-wide escalation.
Use real access reviews: who has cluster-admin and why
Securing Kubernetes RBAC isn’t a one-time configuration task; it’s an operational discipline. A practical periodic review asks:
- Which subjects are bound to
cluster-admin? Are they still required? - Which ClusterRoleBindings exist that grant broad access? Are they justified?
- Which namespaces have RoleBindings that reference unexpected groups?
- Which service accounts have write access in production namespaces?
Rather than trying to audit everything at once, focus on high-risk permissions first: cluster-admin, write access to RBAC objects, and read access to Secrets.
You should also connect these reviews to change management. If a team needs new permissions, the request should result in a specific Role change and a reviewed binding, not an ad-hoc addition to a catch-all group.
Align RBAC with managed Kubernetes (EKS/AKS/GKE) realities
Most organizations run Kubernetes through managed services. RBAC is still Kubernetes RBAC, but there are integration specifics worth accounting for.
In AWS EKS, for example, IAM authentication is mapped into Kubernetes users/groups, and access is often bootstrapped through the EKS access entries mechanism or the aws-auth ConfigMap in older setups. In Azure AKS, Azure AD integration drives user and group identities presented to Kubernetes. In GKE, Google identities map similarly.
The RBAC design principles remain the same: use groups for humans, service accounts for automation, and keep ClusterRoleBindings rare. What changes is how you provision and rotate identities.
Operationally, ensure your platform team treats IdP group management and Kubernetes RBAC as two halves of the same control. A perfectly crafted RoleBinding is useless if the wrong users are placed into the bound group.
Put it together: an end-to-end RBAC model you can adapt
At this point, you’ve seen the primitives and several patterns. A cohesive model for a typical production cluster might look like this:
Platform layer:
group:platform-adminsbound to a controlled ClusterRole for day-to-day platform work, with a very small set of break-glass users bound tocluster-admin.- No broad bindings to
system:authenticated. - Add-on namespaces writable only by platform admins.
Application layer:
- For each app namespace:
- Developers group gets a write Role in
*-devnamespaces. - On-call group gets read-only + logs in
*-prod. - CI service account gets a deploy Role in
*-prod. - No team roles include write access to
roles,rolebindings,clusterroles, orclusterrolebindingsin production. - Secret access is explicitly granted only where required.
This structure scales because it’s consistent. When a new app onboards, you apply the same pattern and adjust only the few permissions that are truly application-specific.
As you implement this, keep validating with kubectl auth can-i, keep bindings narrow, and treat RBAC YAML as security-critical code. That combination is what turns Kubernetes RBAC from a checkbox into an effective control.