RBAC Least-Privilege Patterns

Oct 14, 2025

ServiceAccount (namespace: `ship`)

apiVersion: v1
kind: ServiceAccount
metadata:
  name: app-sa
  namespace: ship

Role: read pods/log only (namespace-scoped)

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: app-read-logs
  namespace: ship
rules:
- apiGroups: [""]
  resources: ["pods","pods/log"]
  verbs: ["get","list","watch"]

RoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: app-read-logs-binding
  namespace: ship
subjects:
- kind: ServiceAccount
  name: app-sa
  namespace: ship
roleRef:
  kind: Role
  name: app-read-logs
  apiGroup: rbac.authorization.k8s.io

can-i evidence (store output in `artifacts/rbac-verify.txt`)

kubectl -n ship auth can-i get pods     --as=system:serviceaccount:ship:app-sa
kubectl -n ship auth can-i get pods/log --as=system:serviceaccount:ship:app-sa
kubectl -n ship auth can-i list pods    --as=system:serviceaccount:ship:app-sa
kubectl -n kube-system auth can-i list pods --as=system:serviceaccount:ship:app-sa

Extend with additional Roles (e.g., read ConfigMaps) rather than cluster-wide permissions.

RBAC Least-Privilege Patterns

ServiceAccount (namespace: `ship`)

Role: read pods/log only (namespace-scoped)

RoleBinding

can-i evidence (store output in `artifacts/rbac-verify.txt`)

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter

RBAC Least-Privilege Patterns

ServiceAccount (namespace: ship)

Role: read pods/log only (namespace-scoped)

RoleBinding

can-i evidence (store output in artifacts/rbac-verify.txt)

ServiceAccount (namespace: `ship`)

can-i evidence (store output in `artifacts/rbac-verify.txt`)