Sign in Subscribe
Concepts

Spot, Audit, and Lock Down Your Kubectl Non-Human Identities

Andrios Robert

1 min read

The cluster was quiet, but kubectl was not. A single command fired off by a non-human identity could spin up pods, change configs, or bring the system down. In Kubernetes, these machine-to-machine actors are as powerful and dangerous as human admins—and often less visible.

Kubectl non-human identities are service accounts, automation tokens, CI/CD pipelines, or bots that interact with the cluster without human intervention. They run deployments, apply manifests, and patch resources on schedule or in response to events. If they are over-permissioned or misconfigured, they become a silent attack vector.

Granting a non-human identity cluster-admin rights is common, fast, and almost always a mistake. The principle of least privilege applies here more than anywhere else. Service accounts should have tightly scoped RBAC roles, limited to specific namespaces and API groups. Rotate their tokens. Monitor their activity. Expire credentials aggressively.

Auditing them is not optional. Use kubectl get serviceaccounts --all-namespaces to list them. Tie each to a known system or pipeline. Remove any that no longer have a clear owner. Review kubectl auth can-i for each account to see exactly what operations it can perform. In production, every extra verb or resource granted is another surface for compromise.

Logging matters. Aggregate API server audit logs. Tag every request with the identity that made it. Build alerts for unusual patterns—like a CI service account suddenly creating new cluster roles. Non-human identities act fast, and if hijacked, so will the damage.

Secure cluster configuration should treat kubectl non-human identities as first-class citizens in policy and compliance frameworks. They need lifecycle management, access reviews, and isolation, just like developer accounts.

Kubernetes will keep growing in complexity. The best defense is a clear, enforced map of who—or what—controls it. Every invisible account is a risk until proven safe.

See how you can spot, audit, and lock down your kubectl non-human identities in minutes with hoop.dev.