Problem: Three-step escalation: 1) Compromised pod used mounted ServiceAccount with 'get secrets' on all namespaces. 2) Read a second token with cluster-admin binding. 3) PodSecurity in warn mode allowed a privileged pod to mount the node filesystem and read cloud provider metadata credentials.
Solution: PodSecurity switched to enforce/restricted in all non-system namespaces. Over-permissive ServiceAccount replaced with minimum-permission account. OPA Gatekeeper policy added to reject cluster-admin RBAC bindings without a specific annotation triggering a required review. kube-bench added to weekly CI pipeline.
Technology: Kubernetes · OPA Gatekeeper · kube-bench · Falco · Burp Suite
Optimisation pattern: organic-rbac-to-least-privilege-with-admission-policy-enforcement
Outcomes:
Escalation path verified closed by re-test. SOC 2 Type II audit passed — no K8s findings. kube-bench score: 47% → 89%. RBAC review process formalised — minimum-permission justification required per PR.