Stats
Actions
Tags
From prodsec-skills
Configures Kubernetes RBAC, service accounts, namespaces, resource quotas, and service types for least-privilege pod access. Useful when writing or auditing Deployments, ServiceAccounts, Roles, and RoleBindings.
How this skill is triggered — by the user, by Claude, or both
Slash command
/prodsec-skills:pod-access-controlThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Configure least-privilege access control for Kubernetes workloads by scoping RBAC bindings, isolating namespaces, enforcing resource quotas, and restricting service exposure.
Configure least-privilege access control for Kubernetes workloads by scoping RBAC bindings, isolating namespaces, enforcing resource quotas, and restricting service exposure.
Every workload pod must use a dedicated, named service account — not the default service account. Default service accounts often carry excessive privileges and make it impossible to apply fine-grained RBAC per workload.
Required for: all profiles (mandatory)
apiVersion: v1
kind: ServiceAccount
metadata:
name: app-sa
namespace: app-ns
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
namespace: app-ns
spec:
template:
spec:
serviceAccountName: app-sa
Workload pods must not use ClusterRoleBindings. Cluster-wide role bindings grant excessive privileges that enable lateral movement across the entire cluster. Use namespace-scoped RoleBindings instead.
Required for: Telco (mandatory), Far-Edge (mandatory), Extended (mandatory), Non-Telco (optional)
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: app-role-binding
namespace: app-ns
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: app-role
subjects:
- kind: ServiceAccount
name: app-sa
namespace: app-ns
Workload RoleBindings must only exist in the workload's own namespace. Cross-namespace role bindings violate tenant isolation and create unintended privilege escalation paths.
Required for: all profiles (mandatory)
If a workload creates Custom Resource Definitions, it must supply a Role that only grants access to those CRDs — not to other API resources. This enforces least-privilege for custom resource access.
Required for: Extended (mandatory), all others (optional)
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: app-crd-role
namespace: app-ns
rules:
- apiGroups: ["app.example.com"]
resources: ["myresources"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
Workload resources must be deployed to declared namespaces. Do not use:
defaultopenshift-istio- or aspenmesh-These namespaces are reserved for platform components and service mesh infrastructure.
Required for: all profiles (optional, recommended best practice)
Workload namespaces must have a ResourceQuota applied to prevent unbounded resource consumption. Without quotas, a single workload can starve other applications of CPU and memory.
Required for: Extended (mandatory), all others (optional)
apiVersion: v1
kind: ResourceQuota
metadata:
name: app-quota
namespace: app-ns
spec:
hard:
requests.cpu: "4"
requests.memory: 8Gi
limits.cpu: "8"
limits.memory: 16Gi
pods: "20"
All containers must specify CPU and memory resource requests. Requests enable the Kubernetes scheduler to make informed placement decisions and prevent resource contention.
Required for: Telco (mandatory), Far-Edge (mandatory), Extended (mandatory), Non-Telco (optional)
containers:
- name: app
image: registry.example.com/app:v1.2.3
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
Services must not use NodePort. NodePort services expose applications directly on host ports, creating security risks and potential port conflicts with host services. Use ClusterIP (default) or LoadBalancer instead.
Required for: all profiles (mandatory)
apiVersion: v1
kind: Service
metadata:
name: app-svc
namespace: app-ns
spec:
type: ClusterIP
selector:
app: app
ports:
- port: 8080
targetPort: 8080
default)default, openshift-*, istio-*)NodePort| Guidance | Certsuite Test ID | Profiles |
|---|---|---|
| Dedicated service account | access-control-pod-service-account | All profiles: mandatory |
| No ClusterRoleBindings | access-control-cluster-role-bindings | Telco/Far-Edge/Extended: mandatory, Non-Telco: optional |
| No cross-namespace RoleBindings | access-control-pod-role-bindings | All profiles: mandatory |
| CRD-scoped roles | access-control-crd-roles | Extended: mandatory, all others: optional |
| Declared namespaces | access-control-namespace | All profiles: optional (recommended) |
| Namespace resource quota | access-control-namespace-resource-quota | Extended: mandatory, all others: optional |
| Resource requests | access-control-requests | Telco/Far-Edge/Extended: mandatory, Non-Telco: optional |
| No NodePort services | access-control-service-type | All profiles: mandatory |
npx claudepluginhub redhatproductsecurity/prodsec-skills --plugin prodsec-skillsHardens Kubernetes clusters by enforcing RBAC least privilege, network policies, pod security standards, and encrypted secrets to prevent privilege escalation and lateral movement.
Configures Kubernetes RBAC to enforce least privilege access on cluster resources. Covers Role/ClusterRole design, RoleBinding setup, service account security, namespace isolation, and audit logging for multi-tenant clusters.
Secure Kubernetes clusters through RBAC, network policies, pod security, and runtime monitoring.