BlogKubernetes

Kubernetes RBAC least privilege: from admin to scoped roles

Replace blanket cluster-admin with namespaced Roles, audit who can do what, and test access with kubectl auth can-i.

Apr 14, 2026·10 min readIntermediate

Most clusters accumulate cluster-admin bindings the way garages accumulate boxes. RBAC least privilege means every human and service account gets exactly the verbs and resources it needs, in exactly the namespaces it operates in — and you can prove it with kubectl auth can-i.

bash — audit what a SA can dolive
kubectl auth can-i --list --as=system:serviceaccount:shop:web
Resources Verbs
pods [get list watch]
configmaps [get]
if this prints * [*] you have work to do

Namespaced Role, not ClusterRole

Prefer a Role (one namespace) over a ClusterRole (whole cluster). Grant specific verbs on specific resources — no wildcards.

role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata: { namespace: shop, name: web-reader }
rules:
- apiGroups: [""]
resources: [pods, configmaps]
verbs: [get, list, watch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata: { namespace: shop, name: web-reader }
subjects:
- kind: ServiceAccount
name: web
roleRef:
kind: Role
name: web-reader
apiGroup: rbac.authorization.k8s.io

Find who has cluster-admin

bash — the dangerous bindingslive
kubectl get clusterrolebindings -o wide | grep cluster-admin
NAME ROLE SUBJECTS
cluster-admin ClusterRole/cluster-admin Group system:masters
jenkins-deployer ClusterRole/cluster-admin SA ci:jenkins
default-dashboard ClusterRole/cluster-admin SA kube-system:dashboard
every name here is a full-cluster takeover if compromised
Wildcards are the enemy
verbs ["*"] on resources ["*"] is cluster-admin by another name. Enumerate the verbs you actually use: get/list/watch for readers, add create/update/patch/delete only where needed.

Test before and after

bash
kubectl auth can-i delete pods \
--as=system:serviceaccount:shop:web -n shop
# no <- exactly what you want
Go deeper in a courseKubernetes security & hardeningRBAC, Pod Security, admission control and runtime, hands-on.View course

Related posts