[Infrastructure] Tighten RBAC cluster roles & DaemonSet security context

[Flegma]

Summary

Kubernetes RBAC permissions and DaemonSet security contexts need to follow least-privilege principle.

Tasks

• Scope cluster role permissions to minimum required resources and verbs
• Review and restrict DaemonSet security context settings
• Remove unnecessary host-level access
• Document why each permission is needed

Impact

Overly broad permissions increase blast radius if any pod is compromised.

Details

Full details in internal audit document. Finding IDs: CRIT-INFRA-01, CRIT-INFRA-02

---

Related Issues (Security Hardening Pattern)

• [Infrastructure] Tighten RBAC cluster roles & DaemonSet security context #412 — [Infrastructure] Tighten RBAC & DaemonSet security
• [Infrastructure] Add network policies & scope Vault permissions per service #413 — [Infrastructure] Network policies & Vault scoping
• [Connector] Improve offline match endpoint authentication #409 — [Connector] Improve offline match authentication
• [API] Strengthen request authentication and proxy trust validation #372 — [API] Strengthen request authentication