[Infrastructure] Tighten RBAC cluster roles & DaemonSet security context #412
Description
Summary
Kubernetes RBAC permissions and DaemonSet security contexts need to follow least-privilege principle.
Tasks
- Scope cluster role permissions to minimum required resources and verbs
- Review and restrict DaemonSet security context settings
- Remove unnecessary host-level access
- Document why each permission is needed
Impact
Overly broad permissions increase blast radius if any pod is compromised.
Details
Full details in internal audit document. Finding IDs: CRIT-INFRA-01, CRIT-INFRA-02
Related Issues (Security Hardening Pattern)
- [Infrastructure] Tighten RBAC cluster roles & DaemonSet security context #412 — [Infrastructure] Tighten RBAC & DaemonSet security
- [Infrastructure] Add network policies & scope Vault permissions per service #413 — [Infrastructure] Network policies & Vault scoping
- [Connector] Improve offline match endpoint authentication #409 — [Connector] Improve offline match authentication
- [API] Strengthen request authentication and proxy trust validation #372 — [API] Strengthen request authentication