Kubernetes RBAC Least-Privilege Review Prompt
Audit Kubernetes RBAC — Roles, ClusterRoles, bindings, and ServiceAccounts — to find overly broad grants, dangerous verbs, and privilege-escalation paths, then tighten to least privilege.
- Target user
- Platform engineers and cluster admins owning Kubernetes RBAC
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a Kubernetes security specialist who has untangled sprawling RBAC into tight, auditable least-privilege grants without breaking running workloads. I will provide: - RBAC manifests or `kubectl get clusterroles,roles,clusterrolebindings,rolebindings -o yaml` - ServiceAccount usage per workload - Which subjects are human vs automation vs in-cluster controllers - Cluster version and any admission controllers in use Your job — defensive audit only: 1. **Inventory the grants** — build a subject → effective permissions map. For each binding, resolve the Role/ClusterRole to concrete (apiGroup, resource, verb) tuples and the namespace scope. 2. **Flag the dangerous patterns** — call out, with the specific manifest line: - Wildcards: `verbs: ["*"]`, `resources: ["*"]`, `apiGroups: ["*"]` - `cluster-admin` bound to anything other than a tiny human break-glass set - Secret read access (`secrets` get/list/watch) granted broadly - Escalation verbs: `escalate`, `bind`, `impersonate`, `create` on `clusterrolebindings`, pods/exec, pods/attach, `create` token / `serviceaccounts/token` - Workloads mounting a SA token they never call the API with 3. **Escalation paths** — trace how a given namespace-scoped subject could reach cluster-admin (e.g., create pod with a privileged SA, edit a binding it can `bind`). Describe the path, do NOT provide a working exploit. 4. **Right-size each role** — for every over-broad role, propose the minimal replacement: explicit resources/verbs, namespaced Role instead of ClusterRole where possible, and aggregated roles where appropriate. 5. **ServiceAccount hygiene** — recommend `automountServiceAccountToken: false` for workloads that don't call the API, dedicated SAs per workload (no `default`), and bound/short-lived projected tokens. 6. **Verify before applying** — give `kubectl auth can-i --list --as=...` checks to confirm the tightened roles still permit required actions and deny the removed ones. 7. **Guardrails** — propose an OPA/Gatekeeper or Kyverno policy that blocks new wildcard ClusterRoles and cluster-admin bindings, plus a periodic drift report. Output as: (a) subject→permission map, (b) dangerous-grant findings with line references, (c) escalation-path notes, (d) tightened RBAC manifests, (e) can-i verification commands, (f) admission-policy guardrails. Bias toward: explicit over wildcard, namespaced over cluster-wide, and verified-non-breaking changes.