How I Built a Production-Grade Kubernetes RBAC Setup — And Broke It On Purpose

Most RBAC tutorials show you how to apply a Role and run kubectl auth can-i . Then they call it done. That never sat right with me. In production, your workload doesn't authenticate using your kubeconfig. It authenticates using a ServiceAccount token mounted inside the pod. So if you've never tested RBAC from inside a running container, you haven't actually tested RBAC. This project fixes that. I built a minimal but realistic RBAC setup for an observability tool, validated it from inside a live deployment, and then intentionally broke it to understand what failure actually looks like at the API server level. The full source is here: github.com/adil-khan-723/K8s-RBAC The Setup Everything lives inside a dedicated observability namespace. The workload — a test deployment — runs under a purpose-built ServiceAccount called log-reader-sa . A namespace-scoped Role defines exactly what that identity is allowed to do. A RoleBinding connects the two. observability (namespace) │ ├── log-reader-sa

How I Built a Production-Grade Kubernetes RBAC Setup — And Broke It On Purpose

Related Articles

The Deceptively Tricky Art of Designing a Steering Wheel

7 Wireshark Filters That Instantly Make You Look Like a Network Expert

Week 6 — No New Problems. Just Me and Everything I Already Learned.

What OpenClaw Gets Wrong Out of the Box (And How to Fix It)

Android Remote Compose：讓 Android UI 不用發版也能更新

Related Articles

How-To
The Deceptively Tricky Art of Designing a Steering Wheel
Wired • 3d ago

How-To
7 Wireshark Filters That Instantly Make You Look Like a Network Expert
Medium Programming • 3d ago

How-To
Week 6 — No New Problems. Just Me and Everything I Already Learned.
Medium Programming • 3d ago

How-To
What OpenClaw Gets Wrong Out of the Box (And How to Fix It)
Medium Programming • 3d ago

How-To
Android Remote Compose：讓 Android UI 不用發版也能更新
Medium Programming • 3d ago