Kubernetes RBAC roles with least privilege service accounts

12590 views

                  apiVersion: v1
kind: ServiceAccount
metadata:
  name: metrics-reader
  namespace: production
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: metrics-reader
  namespace: production
rules:
  - apiGroups: ['']
    resources: ['pods', 'services']
    verbs: ['get', 'list', 'watch']
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: metrics-reader
  namespace: production
subjects:
  - kind: ServiceAccount
    name: metrics-reader
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: metrics-reader

I avoid handing broad cluster access to workloads just because it is convenient during setup. Service accounts should have the minimum verbs and resources needed for the job, nothing more. Over-permissioned cluster identities make post-exploitation much easier than it needs to be.

Kai Nakamura

More from Kai Nakamura

Kubernetes RBAC roles with least privilege service accounts

0 Comments

More from Kai Nakamura