CoursesKubernetes attack & defenseControl plane & operators

Operator & controller security

Privileged automation as a supply-chain dependency.

Expert35 min · lesson 12 of 15

Operators and controllers automate the cluster by watching resources and reconciling state — which means they run privileged code that acts across the cluster. A malicious or vulnerable operator is one of the most direct paths to cluster compromise, and installing one is a supply-chain decision.

Why operators are high-value targets

An operator typically holds a broad ClusterRole so it can create, update, and delete the resources it manages, and it runs a reconcile loop driven by custom resources. That combination is powerful: compromise the operator’s pod, or feed its controller a malicious custom resource, and you can drive cluster-wide actions with its permissions. Because operators are often installed from third-party Helm charts or manifests that request extensive RBAC, adding one is exactly like adding a privileged dependency to your supply chain — its container image, its ClusterRole, and its CRDs all deserve scrutiny before it ever runs.

scrutinize an operator before installing it
# Before applying a third-party operator, read what it actually asks for:
helm template ./operator | kubectl-neat | grep -A20 'kind: ClusterRole'
# → Does it request "*" verbs on "*" resources? secrets? create pods?
# → Is its image pinned by digest and from a source you trust?
# → What CRDs does it add, and what can crafting those resources make it do?
# Constrain it: scope the ClusterRole to only what it reconciles, and run it
# under PSA restricted with a dedicated, minimal service account.

Least privilege for automation

Treat operators with the same least-privilege discipline as any workload — more so, given their reach. Scope the operator’s RBAC to the specific resources and verbs it genuinely reconciles rather than granting cluster-admin for convenience; run it as non-root under a restricted pod security profile; pin its image by digest from a trusted source; and keep its actions in the audit log. Review the CRDs it introduces, since custom resources become an attacker-influenceable input to a privileged controller. Operators are enormously useful, but each one expands the cluster’s trusted computing base, and that expansion must be deliberate and constrained.

Operator security
the risk
broad ClusterRole
acts cluster-wide
CRD-driven loop
malicious CR → privileged action
third-party image
supply-chain dependency
the controls
scope the RBAC
only what it reconciles
pin image, PSA restricted
trusted, hardened runtime
review CRDs + audit actions
watch the privileged inputs
An operator is privileged automation and a supply-chain dependency. Scope its RBAC, harden and pin it, and scrutinize what its CRDs let it do.
A cluster-admin operator is a single point of total compromise
Operators that request "*" on "*" (or cluster-admin) mean one vulnerability in that controller — or a malicious update to its image — hands over the entire cluster. Refuse blanket-permission operators: scope the ClusterRole to what it actually manages, and review third-party operator RBAC as carefully as you would any privileged dependency.