RBAC: least-privilege per namespace
Demonstrate that access permissions within the container orchestration platform are scoped to specific namespaces with only the minimum privileges necessary for users and service accounts to perform their assigned functions.
Description
What this control does
Role-Based Access Control (RBAC) with least privilege per namespace enforces segregation of duties and access boundaries within containerized environments by granting users and service accounts only the minimum permissions required to perform their tasks within specific namespaces. This control prevents lateral movement across namespaces and limits blast radius in the event of credential compromise or container breakout. Implementation typically involves Kubernetes RBAC policies (Roles, RoleBindings) scoped to individual namespaces rather than cluster-wide permissions, with regular review cycles to prevent privilege creep.
Control objective
What auditing this proves
Demonstrate that access permissions within the container orchestration platform are scoped to specific namespaces with only the minimum privileges necessary for users and service accounts to perform their assigned functions.
Associated risks
Risks this control addresses
- Compromised service account with cluster-admin privileges enables attacker to pivot across all namespaces and access sensitive workloads beyond the initial breach point
- Developer with overly broad permissions in production namespace accidentally deletes critical resources or accesses customer data without legitimate business need
- Malicious insider with cross-namespace read access exfiltrates proprietary application configurations and secrets from multiple business units
- Container escape exploit combined with excessive pod security permissions allows attacker to modify cluster-level resources and establish persistence
- Automated CI/CD pipeline service account with wildcard permissions across namespaces becomes single point of compromise for entire platform
- Lack of namespace isolation allows test environment service to query production databases through misconfigured network policies and excessive RBAC grants
- Accumulated permissions from role inheritance and multiple RoleBindings grant unintended escalation paths that bypass approval workflows
Testing procedure
How an auditor verifies this control
- Obtain complete export of all Roles, RoleBindings, ClusterRoles, and ClusterRoleBindings from the Kubernetes or container orchestration platform using kubectl or API queries
- Generate inventory of all service accounts and user accounts with their associated namespace-scoped and cluster-scoped permissions, documenting verbs (get, list, create, delete, etc.) and resources
- Identify all accounts with cluster-admin or cluster-wide permissions and validate each against documented business justification and approval records
- Select representative sample of 10-15 application namespaces spanning production, staging, and development environments for detailed permission review
- For each sampled namespace, map each RoleBinding to the user or service account's documented job function or application requirement, flagging permissions that exceed stated purpose
- Test actual permission enforcement by attempting unauthorized cross-namespace access using credentials from sampled service accounts in non-production environment or with read-only simulation tools
- Review access recertification records from past 12 months to verify periodic review of namespace permissions by resource owners and removal of unused grants
- Trace recent permission changes through change control tickets and audit logs to confirm approval workflow and segregation of duties between requestor and approver
Where this control is tested