How do these templates prevent wildcard usage?

The policies block roles that use '*' in resource or verb lists, requiring explicit definitions to reduce the potential security blast radius.

Do I need OPA installed to use these templates?

Yes, these templates are designed to be implemented within an Open Policy Agent (OPA) or Gatekeeper environment within your Kubernetes cluster.

What does this skill help with?

It provides pre-defined OPA templates to secure Kubernetes RBAC by preventing privilege escalation and broad permissions.

Which RBAC verbs are considered dangerous?

Verbs like 'escalate', 'bind', and 'impersonate' are flagged because they allow users to grant themselves or others higher permissions without proper authorization.

Can this skill handle temporary access?

Yes, it includes patterns for validating expiration annotations on RoleBindings to enforce time-bounded access for temporary debugging or maintenance.

Kubernetes RBAC Security Templates

Name: Kubernetes RBAC Security Templates
Author: adaptive-enforcement-lab

byadaptive-enforcement-lab

セキュリティとテスト

Secures Kubernetes clusters by enforcing OPA-based RBAC policies that prevent privilege escalation and wildcard permissions.

概要

This skill provides a suite of Open Policy Agent (OPA) templates designed to harden Kubernetes Role-Based Access Control (RBAC) configurations. It helps developers and platform engineers implement the principle of least privilege by identifying and blocking unauthorized cluster-admin assignments, dangerous verbs like 'escalate' or 'impersonate', and overly broad wildcard permissions. By automating these security checks, the skill ensures consistent enforcement of governance standards and reduces the blast radius of potentially compromised service accounts across cloud-native environments.

主な機能

Prevents unauthorized cluster-admin privilege escalation
Blocks dangerous RBAC verbs like escalate, bind, and impersonate
Enforces the principle of least privilege across namespaces
Supports time-bounded access through expiration annotation validation
0 GitHub stars
Eliminated wildcard permissions for resources and verbs

ユースケース

Hardening Kubernetes clusters against internal threats and compromised accounts
Automating security compliance audits for RBAC policies in CI/CD
Implementing temporary, time-limited permissions for developer debugging sessions

概要

主な機能

Prevents unauthorized cluster-admin privilege escalation
Blocks dangerous RBAC verbs like escalate, bind, and impersonate
Enforces the principle of least privilege across namespaces
Supports time-bounded access through expiration annotation validation
0 GitHub stars
Eliminated wildcard permissions for resources and verbs

ユースケース

Hardening Kubernetes clusters against internal threats and compromised accounts
Automating security compliance audits for RBAC policies in CI/CD
Implementing temporary, time-limited permissions for developer debugging sessions