Department of Computer Science: MSc Thesis Presentations

Deriving and Enforcing Least-Privilege Role-Based Access Control Policies

Author: Jaakko Lindholm
Supervisor: Lachlan Gunn
Advisor: Katri Turunen

Abstract: As mission-critical systems are migrated to Kubernetes, protecting the Kubernetes API becomes essential in order to prevent breaches and ensure regulatory compliance. Access to this API is typically regulated through Role-Based Access Control (RBAC) policies, which have traditionally been configured by hand. However, this manual approach becomes infeasible in complex systems with insufficiently documented permission requirements. To address this challenge, this thesis proposes RBAC Operator—a novel Kubernetes Operator that continuously enforces least-privilege RBAC policies for workloads and users accessing the Kubernetes API. The Operator leverages a pretrained, general-purpose Large-Language Model (LLM) to derive these policies from historical audit logs and future-looking supplemental contexts, which collectively provide comprehensive insight into the permissions required by individual subjects. Its ability to derive least-privilege policies and enforce them is evaluated against both synthesized audit logs and real logs exported from an O-RAN cluster. When incorporated with the Gemini 2.5 Pro or Claude Opus 4.5 model, the Operator consistently derives least-privilege policies for up to a few hundred audit entries that capture all permission usage. The Operator delivers immediate value by generating the first restricted RBAC policy for an O-RAN subject that previously operated with unrestricted permissions and lacked prior documentation of its required permissions. In addition, the Operator successfully detects most out-of-band modifications to RBAC policies. The detected modifications are typically remedied within seconds, although this remediation time extends with the volume of audit logs.