Phase 1: Restricting Access
Limit RBAC (Role-Based Access Control) permissions for service accounts
It sounds obvious, but over-privileged service accounts are the skeleton keys to your Kubernetes cluster. By tightening your Role and ClusterRole definitions within the rbac.authorization.k8s.io group, you ensure that if an account is compromised, the blast radius is small. Does your pod-provisioning operator really need cluster-admin? Probably not. It likely only needs permissions to create, list, and get pods. Strip away the rest.
Use Roles over ClusterRoles
ClusterRoles are convenient, but they’re also dangerous because they apply across all namespaces. If your app only lives in ‘frontend-prod’, don’t give access to everything. Use a Role scoped strictly to that namespace whenever possible.
Take a look at the official docs for more information.
Pro Tip: Test these changes in a sandbox first. You don’t want to take down an important production workload while trying to increase your cluster’s security.
Use security context on every workload where possible
By default, containers run as root which is a disaster waiting to happen. Without a proper securityContext, a compromised container has a straight shot at the host OS. Enforcing non-root execution is your first line of defense against container breakouts.
While some system tools (like storage providers) need extra permissions, your average API or web service definitely doesn’t. Not sure where to start? Use this snippet as a guide for your Deployment to instantly level up your security posture.
Make sure to run it in a test environment!