yaml 28 lines · 1 tab

Kubernetes RBAC roles with least privilege service accounts

Kai Nakamura Apr 2026
1 tab
apiVersion: v1
kind: ServiceAccount
metadata:
  name: metrics-reader
  namespace: production
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: metrics-reader
  namespace: production
rules:
  - apiGroups: ['']
    resources: ['pods', 'services']
    verbs: ['get', 'list', 'watch']
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: metrics-reader
  namespace: production
subjects:
  - kind: ServiceAccount
    name: metrics-reader
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: metrics-reader
1 file · yaml Explain with highlit

I avoid handing broad cluster access to workloads just because it is convenient during setup. Service accounts should have the minimum verbs and resources needed for the job, nothing more. Over-permissioned cluster identities make post-exploitation much easier than it needs to be.

Share this code

Here's the card — post it anywhere.

Kubernetes RBAC roles with least privilege service accounts — share card
Link copied