rbac-design

Solid

Design minimal-privilege RBAC for workloads, operators, and human access in multi-tenant clusters.

AI & Automation 14 stars 3 forks Updated 3 days ago MIT

Install

View on GitHub

Quality Score: 86/100

Stars 20%
39
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
80
License 10%
100
Description 5%
100

Skill Content

# Skill: RBAC Design > **Expertise:** Kubernetes RBAC — service accounts, Roles, ClusterRoles, namespace isolation, human access patterns. ## When to load When onboarding a new service, setting up CI/CD cluster access, auditing permissions, or debugging "forbidden" API errors. ## RBAC Object Hierarchy ``` ClusterRole → cluster-scoped permissions (nodes, PVs, namespaces) Role → namespace-scoped permissions (pods, services, configmaps) ClusterRoleBinding → binds ClusterRole to subject cluster-wide RoleBinding → binds Role OR ClusterRole to subject in one namespace ``` ## Workload Service Account Pattern ```yaml # 1. Dedicated ServiceAccount per workload apiVersion: v1 kind: ServiceAccount metadata: name: order-service namespace: production annotations: # For cloud IAM federation (AWS IRSA, GCP Workload Identity) eks.amazonaws.com/role-arn: arn:aws:iam::123456789:role/order-service-prod automountServiceAccountToken: false # disable unless needed --- # 2. Role — minimal permissions apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: order-service namespace: production rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "list", "watch"] resourceNames: ["order-service-config"] # scope to specific resource - apiGroups: [""] resources: ["secrets"] verbs: ["get"] resourceNames: ["order-service-tls"] --- # 3. RoleBinding apiVersion: rbac.authorization.k8s.io/v1 kind: R...

Details

Author
sawrus
Repository
sawrus/agent-guides
Created
3 months ago
Last Updated
3 days ago
Language
Shell
License
MIT

Integrates with

Google Cloud · Cloud Kubernetes · Infrastructure

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

implementing-rbac-hardening-for-kubernetes

Harden Kubernetes Role-Based Access Control by implementing least-privilege policies, auditing role bindings, eliminating cluster-admin sprawl, and integrating external identity providers.

12,642 Updated today
mukul975
AI & Automation Featured

auditing-kubernetes-cluster-rbac

Auditing Kubernetes cluster RBAC configurations to identify overly permissive roles, wildcard permissions, dangerous ClusterRoleBindings, service account abuse, and privilege escalation paths using kubectl, rbac-tool, KubiScan, and Kubeaudit.

12,642 Updated today
mukul975
AI & Automation Solid

access-control-rbac

Role-based access control (RBAC) with permissions and policies. Use for admin dashboards, enterprise access, multi-tenant apps, fine-grained authorization, or encountering permission hierarchies, role inheritance, policy conflicts.

160 Updated 2 weeks ago
secondsky
AI & Automation Featured

coreweave-enterprise-rbac

Configure RBAC and namespace isolation for CoreWeave multi-team GPU access. Use when managing team permissions, isolating GPU quotas, or implementing namespace-level access control. Trigger with phrases like "coreweave rbac", "coreweave permissions", "coreweave namespace isolation", "coreweave team access".

2,266 Updated today
jeremylongshore
DevOps & Infrastructure Solid

azure-rbac

Helps users find the right Azure RBAC role for an identity with least privilege access, then generate CLI commands and Bicep code to assign it. Also provides guidance on permissions required to grant roles. WHEN: bicep for role assignment, what role should I assign, least privilege role, RBAC role for, role to read blobs, role for managed identity, custom role definition, assign role to identity, what role do I need to grant access, permissions to assign roles.

1,998 Updated 1 months ago
microsoft