Recurring operations work
Audit every binding that grants cluster-admin equivalent
Hyground enumerates RoleBindings and ClusterRoleBindings across every cluster, flags those granting wildcard verbs or cluster-admin, identifies when each was last modified and who is responsible. Read-only kubectl. Inside your perimeter.
The artefact
A drift report, with the subject, the verb and the last change
RBAC drift is the security risk that nobody notices until the audit. Hyground encodes the enumeration pass as a deterministic workflow that runs weekly, compares the live state with your policy-as-code, and surfaces the anomalies with full attribution.
Dangerous bindings first
ClusterRoleBindings granting cluster-admin or wildcard verbs are surfaced first, with full subject attribution.
Change history
The last commit or kubectl apply that touched each binding, with the author.
What the agent reads
The cluster's own state, plus your policy-as-code
No new policy engine to roll out. Hyground walks the live RBAC state and, if you have it, your policy-as-code repository to compute the drift.
Kubernetes RBAC
Every RoleBinding and ClusterRoleBinding across every cluster, with subjects, verbs and resource scope.
Policy-as-code repository
Your declared RBAC manifests in Git, used as the intended-state baseline for drift detection.
Identity provider
Group membership for ServiceAccounts and human users, to attribute bindings beyond the cluster.
What you get back
The report your CISO will actually read
Sorted by risk, attributed to a subject and a change, with a recommended remediation per finding.
01
Dangerous bindings list
Every ClusterRoleBinding granting cluster-admin or wildcard verbs, ranked by how broadly it applies.
02
Subject attribution
The user, group or ServiceAccount on each binding, with their last-active timestamp.
03
Change history
The commit, the author and the timestamp of the last change to each flagged binding.
04
Recommended remediation
The narrower role the binding should be reduced to, or the policy-as-code change that closes the drift.
Sovereign AI SRE Agent in your perimeter
Hyground is not SaaS. Hyground works as a bring-your-own-chart and bring-your-own-model, without sending any data back to us. This way, Hyground complies with highest security and data compliance standards in the AI SRE space. It speeds up incident resolution with automatic RCA and your daily work, both. Trusted by industry giants.
Related use cases
Other recurring operations work
Sweep TLS certificates expiring this month
Every cert-manager Certificate object expiring within 30 days, grouped by owner, with the renewal state per cert.
Map a new CVE blast radius
When a CVE drops, get every affected workload, owner team and upgrade path before the security team asks.
Run recurring operations work as code
Codify the operations work senior engineers repeat every week and let Hyground execute it deterministically with a full audit trail.
Run an RBAC audit against one of your clusters
Connect a read-only kubeconfig and Hyground will produce the drift report against your environment, ready for your next security review.