Stats
Actions
Tags
From kubernetes
Provision and sync Kubernetes RBAC resources — RoleBindings, ClusterRoleBindings, and ServiceAccounts — from a core-iam.yaml and tenant.yaml definition. Maps platform roles (`Role("reader")`, `Role("contributor")`, `Role("admin")`, Operator) to Kubernetes built-in ClusterRoles within tenant namespaces. Uses the Kubernetes MCP server. Use when applying or updating RBAC after running define-core-iam or define-tenant-iam, or when onboarding a new tenant namespace.
How this skill is triggered — by the user, by Claude, or both
Slash command
/kubernetes:manage-k8s-iamThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Implementation
Implementation
rbac.authorization.k8s.io, v1).rbac.authorization.k8s.io/rolebindings: create, update, delete, listrbac.authorization.k8s.io/clusterrolebindings: create, update, delete, listv1/serviceaccounts: create, update, delete, listv1/namespaces: get, list (namespace creation is out of scope for this skill)Apply the RBAC bindings from core-iam.yaml and/or one or more tenants/{name}.yaml files to one or more Kubernetes clusters. Ensure that:
Role("operator") ServiceAccounts exist per namespace for non-human pipeline access.ClusterRoleBinding with cluster-admin exists for tenant groups.This skill is idempotent: running it multiple times produces the same result.
When writing configurations or documentation, you MUST strictly adhere to the structural notation and types defined in the book. Before proceeding, read the following reference files:
references/notation.mdreferences/types.mdBefore proceeding, ask the user (or infer from context):
core-iam.yaml and/or tenants/{name}.yaml. Read these files first.(Sector, Tier, Region) coordinate. Confirm the kubeconfig context or cluster API endpoint.{tenant}, {tenant}-{tier}, or simply the tenant name if the cluster is already tier-scoped.)--aad-admin-group-object-ids and RoleBindings), GKE (Google Groups RBAC), or standalone OIDC.Read the IAM definition files before proceeding.
Read the specified files and extract:
Role("operator") Workload Identity definitions (for ServiceAccount annotation)Validate:
Role("operator") groupsReport validation errors and stop before applying changes.
Apply the standard role mapping from the chapter:
| Platform Role | Kubernetes ClusterRole | Scope |
|---|---|---|
Role("reader") | view | Namespace (per tenant) |
Role("contributor") | edit | Namespace (per tenant) |
Role("admin") | admin | Namespace (per tenant) |
Role("operator") | admin | Namespace (per tenant) — via ServiceAccount, not human group |
Rules:
cluster-admin. This is equivalent to giving root access to the entire cluster.RoleBinding (namespace-scoped), never ClusterRoleBinding.ClusterRoleBinding for cluster-level administration roles, but only for the platform-{tier}-admins group and only with the cluster-admin ClusterRole — document these explicitly and keep them minimal.view ClusterRole excludes Secrets by default. If developers need to read Secrets for debugging, create a supplemental Role that grants get on secrets within the namespace and bind it separately — do not elevate the entire binding to edit for this purpose alone.The subject in a Kubernetes RoleBinding varies by cloud IAM integration:
EKS (AWS IAM):
rolearn entry mapping the IAM role to a Kubernetes group. Then bind that group in a RoleBinding.AKS (Entra ID):
Group and name is the Entra ID group Object ID.subjects: [{kind: Group, name: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", apiGroup: rbac.authorization.k8s.io}]GKE (Google Groups RBAC):
Group and name is the Cloud Identity group email.subjects: [{kind: Group, name: "[email protected]", apiGroup: rbac.authorization.k8s.io}]Standalone OIDC:
groups claim if the OIDC provider emits group membership. Subject kind is Group.Resolve the correct subject format for the cluster's integration type before creating bindings.
For each tenant and each target cluster:
ecommerce-live cluster), the namespace is typically just {tenant}. If the cluster spans tiers, namespace may be {tenant}-{tier}.Role("reader"), Role("contributor"), Admin), check whether a RoleBinding already exists.RoleBinding naming convention: {group-name} or {role}-{group-name} — be consistent.
Example RoleBinding (AKS): ``yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: payments-live-contributors namespace: payments subjects:
Role("operator") ServiceAccountsFor each Role("operator") group's non-human identity:
eks.amazonaws.com/role-arn: arn:aws:iam::{account}:role/{tenant}-{tier}-operatorazure.workload.identity/client-id: {managed-identity-client-id}iam.gke.io/gcp-service-account: {tenant}-{tier}-operator@{project}.iam.gserviceaccount.comadmin within the namespace.Role("operator") access must be namespace-scoped.For the platform team's cluster-level access needs:
ClusterRoleBinding resources exist for platform groups.platform-{tier}-admins → cluster-admin ClusterRole (JIT-only in Tier("live") — this binding alone is not sufficient; PIM or equivalent must gate activation)platform-{tier}-readers → view ClusterRole at cluster scopeKeep the list of ClusterRoleBindings short. Every new cluster-wide binding increases blast radius. Prefer namespace-scoped RoleBindings wherever possible.
After creating all bindings:
kind: User). These bypass group-based access management and should be removed — confirm with the user first.cluster-admin outside of the platform admin group. Report as a critical finding.Produce a summary after applying:
In dry-run mode, produce the report without making changes.
Produce a Markdown report named k8s-iam-report.md:
``markdown
Date: [timestamp] Cluster(s): [cluster names / contexts] Scope: [core / tenant names applied] Mode: [applied / dry-run]
| Namespace | Binding Name | ClusterRole | Subject (Group) | Status |
|---|---|---|---|---|
| payments | payments-live-contributors | edit | xxxxxxxx-... (Entra ID) | created |
| payments | payments-live-admins | admin | xxxxxxxx-... (Entra ID) | created |
| payments | payments-readers | view | xxxxxxxx-... (Entra ID) | exists |
| Binding Name | ClusterRole | Subject (Group) | Scope | Status |
|---|---|---|---|---|
| platform-live-admins | cluster-admin | platform-live-admins | cluster | exists |
| Namespace | Name | Cloud Annotation | Status |
|---|---|---|---|
| payments | payments-live-operator | iam.gke.io/gcp-service-account=... | created |
| Namespace | Binding Name | Note |
|---|---|---|
| payments | old-payments-deployer | User subject — recommend removal |
[cluster-admin bindings outside platform group, User subjects, namespaces missing, etc.]
[Namespace creation needed, EKS Access Entry configuration required, etc.] ``
RoleBinding — never ClusterRoleBinding. Tenants do not get cluster-wide access.cluster-admin binding is for the platform admin group, accessed via JIT. Any other binding referencing cluster-admin is a critical finding.kubectl service account secrets.This skill is grounded in Chapter 5: Identity and Access Management of Crafting Platforms.
npx claudepluginhub craftingplatforms/ai --plugin kubernetesConfigures Kubernetes RBAC to enforce least privilege access on cluster resources. Covers Role/ClusterRole design, RoleBinding setup, service account security, namespace isolation, and audit logging for multi-tenant clusters.
Hardens Kubernetes RBAC by eliminating cluster-admin sprawl, enforcing namespace-scoped roles, and integrating OIDC identity providers.
Hardens Kubernetes RBAC by eliminating cluster-admin sprawl, enforcing namespace-scoped roles, and integrating OIDC identity providers.