kubernetes-rbac-review

Kubernetes RBAC Review

Purpose

Review Kubernetes RBAC objects — Roles, ClusterRoles, RoleBindings, ClusterRoleBindings, and ServiceAccounts — against least privilege, namespace scope minimization, and operational safety.

Lean operating rules

• Prefer live cluster evidence (kubectl auth can-i, kubectl get rolebinding, audit logs) when the active client exposes it; otherwise fall back to official Kubernetes documentation and sanitized user evidence.
• Separate confirmed facts from inference. If state was not queried or shown, say so.
• Challenge cluster-scoped access granted to workloads that only need namespace-scoped access.
• Challenge wildcard verbs (*), wildcard resources (*), and wildcard API groups (*) unless explicitly justified.
• Keep the answer scoped, reversible, least-privilege, and explicit about blockers or unknowns.

References

Load these only when needed:

• Evidence path and tooling — use when choosing live cluster evidence, confirming MCP capability, or switching to documentation mode.
• Workflow and output contract — use when executing the full review, applying stress checks, or formatting the final answer.
• Official sources — use when you need the detailed Kubernetes documentation list or source notes.

Response minimum

Return, at minimum:

• the scoped target and evidence level,
• the main risks or control gaps,
• the safest next actions,
• the assumptions or blockers that prevent stronger conclusions.