Sign in Subscribe
Concepts

Kubectl row-level security in Kubernetes

Andrios Robert

1 min read

The cluster waits. You run kubectl and the data you see is everything. Too much. Every row from every namespace. No guardrails between you and the full payload.

Row-level security changes that. It enforces fine-grained access inside Kubernetes workloads. Instead of giving broad read permissions, you define exactly which rows of a dataset each request can see. This is not about API-level RBAC. This is about securing the data after it leaves the API server, before it hits the user.

When you query through kubectl, row-level security ensures you only get the subset allowed by policy. For example, in a Postgres-backed service running inside your cluster, you can use PostgreSQL Row Level Security (RLS) to restrict visible rows based on Kubernetes identity. Tie the database policy to Kubernetes ServiceAccounts or JWT claims from an OIDC provider. The query returns only permitted rows, even if your kubeconfig still lets you hit the endpoint.

The workflow can be layered:

  • RBAC in Kubernetes gates namespace and resource access.
  • Admission controllers enforce constraints before workloads execute.
  • Row-level security in the backing store enforces rules at the data layer.

With kubectl port-forward or custom CLI plugins, engineers can access services directly, bypassing application-level APIs. Row-level security closes that gap. It prevents accidental or malicious reads from internal endpoints exposed via kubectl.

Implementing this requires alignment between cluster policy and database policy. You must:

  1. Map Kubernetes identities to database roles.
  2. Define RLS policies for sensitive tables.
  3. Test end-to-end by issuing queries via kubectl into the target pod.

This pattern works beyond databases. Any service that lets you filter or authorize responses can implement row-level checks keyed to the Kubernetes user or group. For auditing, log every filtered request to confirm that kubectl accesses respect row-level boundaries.

Kubectl row-level security is a necessary control in modern clusters where multiple teams share resources. It ensures that operational convenience does not override least privilege. It gives you confidence that every row returned is one the requester is allowed to see.

See how this works in action. Try hoop.dev and enforce kubectl row-level security in your own environment in minutes.