All posts
June 18, 20264 min read

Non-human identity: what it means for your access reviews (on Kubernetes)

Static service accounts give attackers a free pass to your clusters, and they make access reviews meaningless. Most teams start with a handful of long‑lived Kubernetes service accounts. Those accounts are granted broad cluster admin or edit roles so engineers can get jobs done without asking for new permissions every time. The convenience hides a dangerous reality: the same token is used by CI pipelines, automation bots, and occasionally by developers who copy‑paste credentials for ad‑hoc debug

Free White Paper

Non-Human Identity Management + Access Reviews & Recertification: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

Static service accounts give attackers a free pass to your clusters, and they make access reviews meaningless.

Most teams start with a handful of long‑lived Kubernetes service accounts. Those accounts are granted broad cluster admin or edit roles so engineers can get jobs done without asking for new permissions every time. The convenience hides a dangerous reality: the same token is used by CI pipelines, automation bots, and occasionally by developers who copy‑paste credentials for ad‑hoc debugging. Because the token never changes, a breach of any one system instantly compromises every workload that trusts that service account. Auditors quickly notice the mismatch between the number of automated jobs and the sparse list of human users in the access‑review reports.

When a breach occurs, the review process offers little insight. The token’s owner field often reads service‑account without a clear link to a business owner. Reviewers must guess which pipeline or bot used the credential, and they cannot tell whether a particular command was issued by a legitimate CI run or an attacker who stole the secret. The result is a noisy, ineffective access‑review cycle that fails to surface real risk.

Why access reviews break with non‑human identities

Moving to non‑human identities, OIDC tokens issued for CI jobs, GitHub Actions, or automated scripts, addresses the credential‑rotation problem. Each pipeline can request a short‑lived token that expires after a few minutes, and the token inherits the service‑account’s RBAC bindings. On paper this looks like a win: secrets are no longer static, and the identity provider can enforce who is allowed to request a token.

However, the token is still presented directly to the Kubernetes API server. The API server validates the token, checks the RBAC policy, and then executes the request. No component in the data path records the exact command, no inline guardrail can redact sensitive fields from a pod‑spec, and no workflow can pause a dangerous operation for a human to approve. In other words, the precondition of “non‑human identity” fixes credential freshness but leaves the request path completely open. Access‑review tools that only look at RBAC bindings still see a static mapping between a service account and a set of permissions, not the dynamic context of who actually invoked the request, when, and for what purpose.

How hoop.dev secures the data path

hoop.dev inserts a Layer 7 gateway between the identity provider and the Kubernetes API server. The gateway becomes the sole point where every request is inspected, recorded, and optionally gated. Because hoop.dev sits in the data path, it can enforce the outcomes that access‑review processes need:

  • Session recording: hoop.dev captures each API call, the full request payload, and the response, and makes the logs available for later review.
  • Inline masking: when a pod spec contains secrets or credentials, hoop.dev can redact those fields before they reach the API server, ensuring that logs never expose sensitive data.
  • Just‑in‑time approval: risky verbs such as delete or scale can be routed to an approval workflow. A human reviewer must approve the operation before hoop.dev forwards it.
  • Command‑level blocking: patterns that match known destructive actions are blocked outright, preventing accidental or malicious damage.
  • Identity‑aware policy: hoop.dev reads the OIDC token, maps it to a business owner, and annotates the audit entry, turning anonymous service‑account activity into accountable actions.

All of these enforcement outcomes exist only because hoop.dev occupies the data path. The setup phase, creating OIDC clients, defining service‑account roles, and provisioning the gateway, decides who may start a request, but it does not enforce any of the above controls. Without hoop.dev, the request would travel straight to the API server, and none of the audit, masking, or approval capabilities would be present.

Continue reading? Get the full guide.

Non-Human Identity Management + Access Reviews & Recertification: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Practical steps for teams

1. Identify every automation pipeline that talks to Kubernetes. Replace any hard‑coded kubeconfig files with short‑lived OIDC tokens issued by your identity provider.

2. Deploy hoop.dev in the same network segment as your API server. The gateway runs as a container or a pod and requires only a single OIDC client configuration to verify incoming tokens.

3. Define policies that map token attributes (group, audience, or custom claim) to the enforcement actions you need for access reviews. For example, require approval for any delete on a production namespace.

4. Point your CI jobs, kubectl users, and automation scripts to the hoop.dev endpoint instead of the raw API server. From the client’s perspective nothing changes, standard kubectl or client libraries still work, but every request now passes through the gateway.

5. Use the recorded sessions to enrich your quarterly access‑review reports. Instead of a static list of service accounts, reviewers see who actually performed each operation, when it happened, and whether it required approval.

Getting started

For a quick deployment, follow the getting started guide. The documentation walks you through configuring OIDC, registering a Kubernetes connection, and writing your first policy. The broader feature set, including masking, approval workflows, and session replay, is covered in the learn section.

FAQ

Q: Does hoop.dev replace Kubernetes RBAC?
A: No. hoop.dev works alongside RBAC. It validates the token, then applies additional guardrails before the request reaches the API server.

Q: Will existing CI pipelines need code changes?
A: Only the endpoint they target changes. Because hoop.dev speaks the same Kubernetes protocol, no code modifications are required.

Q: How long are the audit records kept?
A: Retention is configurable in the gateway’s storage backend. Teams can align it with their compliance windows.

Next steps

Explore the source, contribute improvements, or spin up your own instance on GitHub: hoop.dev repository. By placing enforcement where it belongs, in the data path, you turn opaque service‑account activity into transparent, accountable actions that make access reviews truly effective.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot