원클릭으로
rbac-design
Design minimal-privilege RBAC for workloads, operators, and human access in multi-tenant clusters.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Design minimal-privilege RBAC for workloads, operators, and human access in multi-tenant clusters.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Production-grade GitHub Actions workflows — reusable workflows, OIDC cloud auth, caching, matrix builds, and environment protection rules. Use when the user creates, reviews, or debugs CI/CD pipelines in .github/workflows, or asks about GitHub Actions deployment, OIDC authentication, or workflow optimization.
Systematic diagnosis of Kubernetes pod failures — CrashLoopBackOff, OOMKilled, Pending, ImagePullBackOff, and service connectivity issues. Use when the user encounters pods not starting, container restart loops, scheduling failures, or service unreachability in a K8s cluster.
Implement distributed tracing with OpenTelemetry, Tempo/Jaeger — instrumentation, sampling, and trace-to-log correlation. Use when the user asks about distributed tracing, OpenTelemetry setup, span instrumentation, trace propagation, or connecting traces to logs and metrics.
Design reusable React components with compound patterns, controlled/uncontrolled hybrids, typed prop APIs, async state handling, and ARIA accessibility. Use when the user creates, refactors, or reviews React components, or mentions props, hooks, .tsx files, component APIs, or accessible UI patterns.
Apply STRIDE threat modeling to system designs, identify IDOR and authorization vulnerabilities, and build threat matrices for security reviews. Use when the user designs a new system, reviews an architecture, prepares for a security audit, or asks about common API vulnerabilities like IDOR or broken access control.
Secure CI/CD pipelines with keyless signing, OIDC federation, provenance attestations, policy enforcement, and hardened runners.
| name | rbac-design |
| type | skill |
| description | Design minimal-privilege RBAC for workloads, operators, and human access in multi-tenant clusters. |
| related-rules | ["workload-security.md"] |
| allowed-tools | Read, Write, Edit, Bash |
Expertise: Kubernetes RBAC — service accounts, Roles, ClusterRoles, namespace isolation, human access patterns.
When onboarding a new service, setting up CI/CD cluster access, auditing permissions, or debugging "forbidden" API errors.
ClusterRole → cluster-scoped permissions (nodes, PVs, namespaces)
Role → namespace-scoped permissions (pods, services, configmaps)
ClusterRoleBinding → binds ClusterRole to subject cluster-wide
RoleBinding → binds Role OR ClusterRole to subject in one namespace
# 1. Dedicated ServiceAccount per workload
apiVersion: v1
kind: ServiceAccount
metadata:
name: order-service
namespace: production
annotations:
# For cloud IAM federation (AWS IRSA, GCP Workload Identity)
eks.amazonaws.com/role-arn: arn:aws:iam::123456789:role/order-service-prod
automountServiceAccountToken: false # disable unless needed
---
# 2. Role — minimal permissions
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: order-service
namespace: production
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch"]
resourceNames: ["order-service-config"] # scope to specific resource
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
resourceNames: ["order-service-tls"]
---
# 3. RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: order-service
namespace: production
subjects:
- kind: ServiceAccount
name: order-service
namespace: production
roleRef:
kind: Role
apiGroupv: rbac.authorization.k8s.io
name: order-service
# Dev read-only access to staging namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: devs-view-staging
namespace: staging
subjects:
- kind: Group
name: developers # from OIDC provider (Dex, Okta, etc.)
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: view # built-in read-only ClusterRole
apiGroup: rbac.authorization.k8s.io
| ClusterRole | Access level |
|---|---|
view | Read-only all namespaced resources |
edit | Read/write most namespaced resources; no RBAC |
admin | Full namespace access including RBAC |
cluster-admin | Full cluster access — never bind to apps |
# CI system gets minimal cluster access
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ci-deployer
rules:
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets"]
verbs: ["get", "list", "patch", "update"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
# NOT: create/delete pods, access secrets, modify RBAC
# What can a ServiceAccount do?
kubectl auth can-i --list \
--as=system:serviceaccount:production:order-service \
-n production
# Who can do X in namespace Y?
kubectl who-can get secrets -n production # requires kubectl-who-can plugin
# Find all RoleBindings in a namespace
kubectl get rolebindings,clusterrolebindings -n production -o wide
# Check if a specific action is allowed
kubectl auth can-i delete pods -n production \
--as=system:serviceaccount:production:order-service
| Mistake | Risk | Fix |
|---|---|---|
Using default ServiceAccount | All pods in namespace share permissions | Dedicate one SA per workload |
verbs: ["*"] | Full resource control | Enumerate exact verbs needed |
resources: ["*"] | Access to all resources | List explicitly |
Binding cluster-admin to CI | Breach = full cluster takeover | Use scoped ci-deployer ClusterRole |
automountServiceAccountToken: true (default) | Token injected into all pods | Set to false unless needed |