Overview:
Led a production-grade security governance project by integrating Kyverno to enforce policies and harden namespace-level access for application teams on Kubernetes. Audited and remediated existing RBAC roles, ensuring least-privilege access principles were followed.Write your text here...

Architecture Highlights

• Multi-tenant Kubernetes cluster with dedicated namespaces per application team (e.g., dev-team, qa-team, prod).

• Centralized Jenkins pipeline used for CI/CD across all environments, with context-based cluster access and namespace-scoped deployment.

• Namespace-bound permissions enforced to prevent horizontal access across teams.

RBAC Audit & Remediation

• Performed a complete audit of existing ClusterRoles and RoleBindings using:

  • kubectl get clusterrolebinding

  • kubectl get rolebinding --all-namespaces

  • Custom scripts with kubectl auth can-i to test effective permissions.

• Identified over-privileged users and service accounts, including:

  • Cluster-wide edit roles granted to namespace-specific users.

  • Insecure * permissions on verbs/resources not required by pipelines or workloads.

• Remediation Actions:

  • Replaced ClusterRoleBindings with scoped RoleBindings per namespace.

  • Created custom Roles with only get, list, watch, and patch as needed.

  • Segregated service accounts for Jenkins jobs and restricted them to deployment-only roles.Write your text here...

Kyverno Policy Enforcement

• Integrated Kyverno as a Kubernetes admission controller to enforce security and compliance rules at runtime.