Audit Kubernetes RBAC Roles with Claude
Extract Kubernetes cluster roles and use Claude to identify overly permissive grants or wildcard security risks.
Setup
- → kubectl configured with cluster-admin access
- → claude CLI installed and authenticated
Cost per run
Claude API token costs (varies by cluster size)
The one-liner
$ kubectl get clusterroles,roles -A -o yaml | claude -p "Audit this Kubernetes RBAC configuration. Flag any overly permissive roles, wildcard permissions ('*'), or privilege escalation risks. Output a concise markdown security report."What each stage does
- [01] kubectl
kubectl get clusterroles,roles -A -o yamlFetches all ClusterRoles and namespace-scoped Roles across the entire cluster in YAML format. - [02] claude
| claude -pPipes the raw YAML output into the Claude CLI tool, using the prompt flag to define the analysis task. - [03] claude
"Audit this Kubernetes RBAC configuration... output a concise markdown security …Instructs the LLM to specifically look for wildcard permissions, privilege escalation risks, and format the findings as markdown.
Expected output (sample)
# Kubernetes RBAC Security Audit ⚠️ **CRITICAL RISKS DETECTED** - Wildcard permissions: Role `dev-full-access` in `default` has `resources: ["*"]`. - Privilege escalation: `edit-secrets` role allows reading all cluster secrets. **Recommendations:** 1. Scope down `dev-full-access` to specific resources. 2. Restrict secret access to specific service accounts.
Caveats & tips
- Footgun: Sending full RBAC configurations to an external LLM API exposes infrastructure details; ensure compliance with your organization's data policies.
- Cost: Large clusters will generate massive YAML payloads, consuming significant input tokens and potentially costing several dollars per run.