Snyk @ Snyk: Enabling Kubernetes RBAC for Snyk’s Developers

Kubernetes RBAC (role-based access control) is a powerful tool that enables users to define roles inside namespaces and cluster roles outside namespaces, but it also requires careful management to prevent malicious use. To address this challenge, Snyk developed an internal security checklist for RBAC rules, which includes guidelines such as no wildcard resources or verbs, no usage of built-in rules, and no bindings to sensitive service accounts. This checklist is used to automate security checks with Snyk Infrastructure as Code (Snyk IaC), which scans Kubernetes manifests for compliance and provides feedback on any violations. By making IaC security ridiculously easy for developers, Snyk aims to empower its team while ensuring that security responsibilities are owned by the developers themselves.