DAY 13Kubernetes

RBAC — ServiceAccounts, Roles, and the Principle of Least Privilege

Every Pod since Day 5 has been running as the default ServiceAccount with an automounted API token nobody asked for. That token is a credential — and if the webapp container ever gets compromised, the attacker now has it. Fix the leak with two ServiceAccounts: one for the workload (no token at all), one for the observer (a tightly scoped Role). Commit both into the chart, sync via Argo CD, and verify every permission with kubectl auth can-i.

May 19, 2026 25 min read4.8k words

This lesson is for members

The first 7 days of 30 Days of DevOps are free. Unlock the full curriculum — every day of every series, current and future — with one membership.

Monthly

₹399

per month

Annual

₹2,999

per year

Lifetime

₹6,999

one-time

See membership plans Already a member? Sign in

Every series, all days — including future series
Verified, project-based, no fluff
Progress synced across all your devices