Ensures that Kubernetes workloads and service accounts are not granted excessive permissions.
Kubernetes workloads often use service accounts to interact with the Kubernetes API and other GCP resources. Over-privileged service accounts can lead to privilege escalation or lateral movement within the cluster or the cloud environment. Following the principle of least privilege helps minimize potential attack surfaces.
Review and minimize IAM permissions granted to Kubernetes service accounts and workload identities. Use role-based access control (RBAC) and GCP IAM best practices to ensure only required access is permitted.