diff --git a/content/en/docs/concepts/security/rbac-good-practices.md b/content/en/docs/concepts/security/rbac-good-practices.md index 58c3e061db..8b883bba9a 100644 --- a/content/en/docs/concepts/security/rbac-good-practices.md +++ b/content/en/docs/concepts/security/rbac-good-practices.md @@ -102,9 +102,10 @@ includes the contents of all Secrets. Permission to create workloads (either Pods, or [workload resources](/docs/concepts/workloads/controllers/) that manage Pods) in a namespace implicitly grants access to many other resources in that namespace, such as Secrets, ConfigMaps, and -PersistentVolumes, which can be mounted into a Pod. Additionally, since Pods can run as any -[ServiceAccount](/docs/reference/access-authn-authz/service-accounts-admin/), create workload -permissions effectively grants the API access levels of any ServiceAccount in the namespace. +PersistentVolumes that can be mounted in Pods. Additionally, since Pods can run as any +[ServiceAccount](/docs/reference/access-authn-authz/service-accounts-admin/), granting permission +to create workloads also implicitly grants the API access levels of any service account in that +namespace. Users who can run privileged Pods can use that access to gain node access and potentially to further elevate their privileges. Where you do not fully trust a user or other principal @@ -113,8 +114,10 @@ with the ability to create suitably secure and isolated Pods, you should enforce You can use [Pod Security admission](/docs/concepts/security/pod-security-admission/) or other (third party) mechanisms to implement that enforcement. -For these reasons, it is considered best practice to generally grant permissions at the namespace -level, and use caution when subdividing access within a namespace. +For these reasons, namespaces should be used to separate resources requiring different levels of +trust or tenancy. It is still considered best practice to follow [least privilege](#least-privilege) +principles and assign the minimum set of permissions, but boundaries within a namespace should be +considered weak. ### Persistent volume creation