Unused Role

RoleBinding grants Role permissions to Users or ServiceAccounts. This validator detects Roles that are not associated with any application workloads.

Affected Resources: Role, ClusterRole

Examples

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: podreader                             
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
subjects:
- kind: ServiceAccount
  name: backend
roleRef:
  kind: Role
  name: pod-reader                            # Different Rule used
  apiGroup: rbac.authorization.k8s.io

Resolution

Examine RoleBindings and check if the Role is correctly referenced.

Make necessary naming corrections in RoleBinding Role references.

Examine applications within the namespace and determine if ServiceAccount in RoleBinding is supposed to be used in those workloads.

If the Role is indeed unused, it may need to be just removed.

Learn More

https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-subjects

Unresolved ServiceAccount reference in container

Unused RoleBinding

Need other validation rules?

Please let us know if there are other built-in validation rules you would like to see in Kubevious to detect misconfigurations and violations to best practices. Optionally, you can provide your details so we can reach out to you with follow-up questions.

Share this article on: