RBAC and Service Accounts

Role-Based Access Control (RBAC) decides which identities can perform which actions on which resources in a cluster. Every API call is authorized against RBAC. Misconfigured RBAC is the leading cause of in-cluster privilege escalation.

• Subjects: users, groups, service accounts.
• Roles bind verbs to resources.
• Bindings connect subjects to roles.

Two scopes exist.

• Role + RoleBinding: namespace-scoped permissions.
• ClusterRole + ClusterRoleBinding: cluster-wide permissions.

A ClusterRoleBinding to cluster-admin is total control. Granting it to a service account is a frequent, dangerous mistake.