Quite often, when I dive into someone's Kubernetes cluster to debug a problem, I realize whatever pod I'm running has way too many permissions. Often, my pod has the
cluster-admin role applied to it through its default ServiceAccount.
Sometimes this role was added because someone wanted to make their CI/CD tool (e.g. Jenkins) manage Kubernetes resources in the cluster, and it was easier to apply
cluster-admin to a default service account than to set all the individual RBAC privileges correctly. Other times, it was because someone found a new shiny tool and blindly installed it.
One such example I remember seeing recently is the spekt8 project; in it's installation instructions, it tells you to apply an rbac manifest:
kubectl apply -f https://raw.githubusercontent.com/spekt8/spekt8/master/fabric8-rbac.yaml
What the installation guide doesn't tell you is that this manifest grants
cluster-admin privileges to every single Pod in the default namespace!