RBAC Audit Compliance for Kubernetes: Practical Enforcement and Verification

Implement RBAC audits by enforcing policies with Kyverno, validating access controls.

JR

2 minute read

Implement RBAC audits by enforcing policies with Kyverno, validating access controls, and maintaining audit trails to meet compliance requirements.

Auditors for ISO27001/SOC2 care about three things: least privilege, change tracking, and access reviewability. Here’s how to handle RBAC audits without burning your cluster:

Workflow for RBAC Audit Readiness

  1. Define policies: Restrict role bindings to groups, not users. Enforce verbs/ressources limits.
  2. Enforce automatically: Use Kyverno or OPA to block non-compliant changes.
  3. Audit access: Regularly review kubectl get rolebindings -o yaml and audit logs.
  4. Review exceptions: Maintain a documented allowlist for service accounts and admins.
  5. Document lineage: Tie RBAC rules to compliance controls (e.g., ISO27001 A.9.4.3).

Concrete Policy Example: Kyverno RoleBinding Restriction

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-rolebindings-to-groups
spec:
  validationFailureAction: enforce
  rules:
    - name: check-rolebinding-subjects
      match:
        resources:
          kinds:
            - RoleBinding
            - ClusterRoleBinding
      validate:
        pattern:
          metadata:
            annotations:
              audit/exception: (?:(?:^|,)exception-[\w-]+(?:(?::\d+)?(?:,|$)))*
          subjects:
            - kind: Group
              apiGroups: [""]
              name: "compliance-approved-group"

Tradeoff: Strict group-only policies can break legacy apps relying on user-specific bindings. Use exceptions sparingly with time-bound annotations.

Tooling for Enforcement and Verification

  • Kyverno: Policy-as-code enforcement (see example above).
  • OPA/Gatekeeper: For complex regex-based access patterns.
  • kubeaudit: Scan clusters for common RBAC misconfigurations.
  • Falco: Detect anomalous access patterns in real-time.
  • Cluster Audit Logs: Enable via --audit-policy-file and forward to SIEM.

Caveat: Tools add latency to admission workflows. Test in staging first.

Troubleshooting Common Failures

  • Symptom: “User lacks permissions” during audit review
    • Check: kubectl auth can-i --list --as=USER
    • Fix: Audit kubectl get rolebindings -n NAMESPACE for missing bindings.
  • Symptom: Kyverno blocks valid exception
    • Check: Annotation format in RoleBinding matches policy regex.
    • Fix: Use kubectl describe clusterpolicy to validate rule logic.
  • Symptom: Missing audit logs for role changes
    • Check: Audit policy file includes - verb: GET, resource: roles, group: rbac.authorization.k8s.io
    • Fix: Restart API server with updated --audit-policy-file.

Final Notes

RBAC compliance isn’t about perfect policies—it’s about demonstrable control. Document exceptions, automate enforcement, and assume auditors will test every edge case. If you’re using OpenShift, leverage its built-in compliance profiles and audit logging integrations. Burn the cluster only if all else fails.

Source thread: How do you handle K8s RBAC audits for compliance? (ISO27001/SOC2)

comments powered by Disqus