How do these templates prevent wildcard usage?

The policies block roles that use '*' in resource or verb lists, requiring explicit definitions to reduce the potential security blast radius.

Do I need OPA installed to use these templates?

Yes, these templates are designed to be implemented within an Open Policy Agent (OPA) or Gatekeeper environment within your Kubernetes cluster.

What does this skill help with?

It provides pre-defined OPA templates to secure Kubernetes RBAC by preventing privilege escalation and broad permissions.

Which RBAC verbs are considered dangerous?

Verbs like 'escalate', 'bind', and 'impersonate' are flagged because they allow users to grant themselves or others higher permissions without proper authorization.

Can this skill handle temporary access?

Yes, it includes patterns for validating expiration annotations on RoleBindings to enforce time-bounded access for temporary debugging or maintenance.

Kubernetes RBAC Security Templates

Name: Kubernetes RBAC Security Templates
Author: adaptive-enforcement-lab

byadaptive-enforcement-lab

0•

Security & Testing

Secures Kubernetes clusters by enforcing OPA-based RBAC policies that prevent privilege escalation and wildcard permissions.

This skill provides a suite of Open Policy Agent (OPA) templates designed to harden Kubernetes Role-Based Access Control (RBAC) configurations. It helps developers and platform engineers implement the principle of least privilege by identifying and blocking unauthorized cluster-admin assignments, dangerous verbs like 'escalate' or 'impersonate', and overly broad wildcard permissions. By automating these security checks, the skill ensures consistent enforcement of governance standards and reduces the blast radius of potentially compromised service accounts across cloud-native environments.

Key Features

01Prevents unauthorized cluster-admin privilege escalation

02Blocks dangerous RBAC verbs like escalate, bind, and impersonate

03Enforces the principle of least privilege across namespaces

04Supports time-bounded access through expiration annotation validation

050 GitHub stars

06Eliminated wildcard permissions for resources and verbs

Use Cases

01Hardening Kubernetes clusters against internal threats and compromised accounts

02Automating security compliance audits for RBAC policies in CI/CD

03Implementing temporary, time-limited permissions for developer debugging sessions

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add adaptive-enforcement-lab/claude-skills opa-rbac-templates

For use in Claude.ai and ChatGPT

Download Skill