yaml
28 lines · 1 tab
Kai Nakamura
Apr 2026
1 tab
apiVersion: v1
kind: ServiceAccount
metadata:
name: metrics-reader
namespace: production
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: metrics-reader
namespace: production
rules:
- apiGroups: ['']
resources: ['pods', 'services']
verbs: ['get', 'list', 'watch']
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: metrics-reader
namespace: production
subjects:
- kind: ServiceAccount
name: metrics-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: metrics-reader
1 file · yaml
Explain with highlit
I avoid handing broad cluster access to workloads just because it is convenient during setup. Service accounts should have the minimum verbs and resources needed for the job, nothing more. Over-permissioned cluster identities make post-exploitation much easier than it needs to be.
Share this code
Here's the card — post it anywhere.