Sign in Subscribe
Concepts

Kubectl separation of duties

Andrios Robert

1 min read

**Kubectl separation of duties** is the disciplined control of who can run which commands, on what resources, and in which namespaces. In Kubernetes, kubectl is the primary control interface. Without strict access boundaries, a single compromised account or careless command can cripple workloads.

The core principle is that no single user should have complete cluster control outside of their defined role. This means dividing privileges between operators, developers, SREs, and security teams. A developer may need kubectl get pods in a staging namespace, but not kubectl delete in production. An SRE may need kubectl logs and kubectl describe for all clusters, but not kubectl exec into sensitive workloads.

Kubernetes Role-Based Access Control (RBAC) is the primary mechanism to enforce this. With RBAC, you define Roles or ClusterRoles that list the exact verbs, API groups, and resources allowed. Then you bind those roles to specific users or service accounts. Critical patterns include:

  • Namespace isolation: Limit role bindings to the namespace required for the task.
  • Verb restriction: Use the narrowest set of verbs (get, list, watch) and avoid destructive ones (delete, patch, update) unless required.
  • Cluster admin minimization: Reserve cluster-admin for the smallest possible group, with heavy auditing.
  • Ephemeral elevation: Grant temporary access for high-risk actions, then revoke immediately.

Separation of duties must integrate with auditing and observability. Enable API server audit logs to track every kubectl call. Send logs to a central, immutable store. Require MFA for accounts with elevated access. Rotate kubeconfig credentials and revoke stale ones.

A misconfigured kubectl policy is a silent risk. A well-implemented separation of duties model reduces the blast radius of accidents and intrusions. It demands continuous review in step with changes to teams and workloads.

Secure your kubectl access controls now, before the next 2 a.m. outage drags on. See how hoop.dev can enforce separation of duties and get you running in minutes—try it live today.