Source from repo

Kubernetes Security Policies

Kubernetes security policy expertise from a comprehensive 146-skill, 112-agent multi-agent orchestration system.

wshobsonGitHub wshobsonSource repo Original GitHub link Publisher page

Files

Skill

n/a

Size

14.2 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

references/rbac-patterns.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown200 linesFree

references/rbac-patterns.md

1# RBAC Patterns and Best Practices
2 
3## Common RBAC Patterns
4 
5### Pattern 1: Read-Only Access
6 
7```yaml
8apiVersion: rbac.authorization.k8s.io/v1
9kind: ClusterRole
10metadata:
11  name: read-only
12rules:
13  - apiGroups: ["", "apps", "batch"]
14    resources: ["*"]
15    verbs: ["get", "list", "watch"]
16```
17 
18### Pattern 2: Namespace Admin
19 
20```yaml
21apiVersion: rbac.authorization.k8s.io/v1
22kind: Role
23metadata:
24  name: namespace-admin
25  namespace: production
26rules:
27  - apiGroups: ["", "apps", "batch", "extensions"]
28    resources: ["*"]
29    verbs: ["*"]
30```
31 
32### Pattern 3: Deployment Manager
33 
34```yaml
35apiVersion: rbac.authorization.k8s.io/v1
36kind: Role
37metadata:
38  name: deployment-manager
39  namespace: production
40rules:
41  - apiGroups: ["apps"]
42    resources: ["deployments"]
43    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
44  - apiGroups: [""]
45    resources: ["pods"]
46    verbs: ["get", "list", "watch"]
47```
48 
49### Pattern 4: Secret Reader (ServiceAccount)
50 
51```yaml
52apiVersion: rbac.authorization.k8s.io/v1
53kind: Role
54metadata:
55  name: secret-reader
56  namespace: production
57rules:
58  - apiGroups: [""]
59    resources: ["secrets"]
60    verbs: ["get"]
61    resourceNames: ["app-secrets"] # Specific secret only
62---
63apiVersion: rbac.authorization.k8s.io/v1
64kind: RoleBinding
65metadata:
66  name: app-secret-reader
67  namespace: production
68subjects:
69  - kind: ServiceAccount
70    name: my-app
71    namespace: production
72roleRef:
73  kind: Role
74  name: secret-reader
75  apiGroup: rbac.authorization.k8s.io
76```
77 
78### Pattern 5: CI/CD Pipeline Access
79 
80```yaml
81apiVersion: rbac.authorization.k8s.io/v1
82kind: ClusterRole
83metadata:
84  name: cicd-deployer
85rules:
86  - apiGroups: ["apps"]
87    resources: ["deployments", "replicasets"]
88    verbs: ["get", "list", "create", "update", "patch"]
89  - apiGroups: [""]
90    resources: ["services", "configmaps"]
91    verbs: ["get", "list", "create", "update", "patch"]
92  - apiGroups: [""]
93    resources: ["pods"]
94    verbs: ["get", "list"]
95```
96 
97## ServiceAccount Best Practices
98 
99### Create Dedicated ServiceAccounts
100 
101```yaml
102apiVersion: v1
103kind: ServiceAccount
104metadata:
105  name: my-app
106  namespace: production
107---
108apiVersion: apps/v1
109kind: Deployment
110metadata:
111  name: my-app
112spec:
113  template:
114    spec:
115      serviceAccountName: my-app
116      automountServiceAccountToken: false # Disable if not needed
117```
118 
119### Least-Privilege ServiceAccount
120 
121```yaml
122apiVersion: rbac.authorization.k8s.io/v1
123kind: Role
124metadata:
125  name: my-app-role
126  namespace: production
127rules:
128  - apiGroups: [""]
129    resources: ["configmaps"]
130    verbs: ["get"]
131    resourceNames: ["my-app-config"]
132```
133 
134## Security Best Practices
135 
1361. **Use Roles over ClusterRoles** when possible
1372. **Specify resourceNames** for fine-grained access
1383. **Avoid wildcard permissions** (`*`) in production
1394. **Create dedicated ServiceAccounts** for each app
1405. **Disable token auto-mounting** if not needed
1416. **Regular RBAC audits** to remove unused permissions
1427. **Use groups** for user management
1438. **Implement namespace isolation**
1449. **Monitor RBAC usage** with audit logs
14510. **Document role purposes** in metadata
146 
147## Troubleshooting RBAC
148 
149### Check User Permissions
150 
151```bash
152kubectl auth can-i list pods --as [email protected]
153kubectl auth can-i '*' '*' --as system:serviceaccount:default:my-app
154```
155 
156### View Effective Permissions
157 
158```bash
159kubectl describe clusterrole cluster-admin
160kubectl describe rolebinding -n production
161```
162 
163### Debug Access Issues
164 
165```bash
166kubectl get rolebindings,clusterrolebindings --all-namespaces -o wide | grep my-user
167```
168 
169## Common RBAC Verbs
170 
171- `get` - Read a specific resource
172- `list` - List all resources of a type
173- `watch` - Watch for resource changes
174- `create` - Create new resources
175- `update` - Update existing resources
176- `patch` - Partially update resources
177- `delete` - Delete resources
178- `deletecollection` - Delete multiple resources
179- `*` - All verbs (avoid in production)
180 
181## Resource Scope
182 
183### Cluster-Scoped Resources
184 
185- Nodes
186- PersistentVolumes
187- ClusterRoles
188- ClusterRoleBindings
189- Namespaces
190 
191### Namespace-Scoped Resources
192 
193- Pods
194- Services
195- Deployments
196- ConfigMaps
197- Secrets
198- Roles
199- RoleBindings
200

Preparing the source view

Kubernetes Security Policies

references/rbac-patterns.md