Kubernetes’ rich API surface poses significant security risks, as its RBAC mechanism lacks fine-grained control over specification attributes—such as field-level or value-level constraints—leading to exploitable misconfigurations and vulnerabilities. To address this, we propose an attribute-level API access control framework grounded in Operator declarative configurations. Our approach combines static analysis of Operator metadata, dynamic semantic parsing of API requests, and runtime enforcement via Kubernetes Admission Control—without modifying core components. It enables policy definition based on resource fields, operation types, and parameter values. Evaluation demonstrates that our framework substantially reduces the API attack surface, effectively mitigating diverse API abuse patterns in production clusters. Moreover, it achieves high compatibility with existing tooling and imposes minimal performance overhead—average request latency increases by less than 3 ms.

Kubernetes (K8s) is widely used to orchestrate containerized applications, including critical services in domains such as finance, healthcare, and government. However, its extensive and feature-rich API interface exposes a broad attack surface, making K8s vulnerable to exploits of software vulnerabilities and misconfigurations. Even if K8s adopts role-based access control (RBAC) to manage access to K8s APIs, this approach lacks the granularity needed to protect specification attributes within API requests. This paper proposes a novel solution, KubeFence, which implements finer-grain API filtering tailored to specific client workloads. KubeFence analyzes Kubernetes Operators from trusted repositories and leverages their configuration files to restrict unnecessary features of the K8s API, to mitigate misconfigurations and vulnerabilities exploitable through the K8s API. The experimental results show that KubeFence can significantly reduce the attack surface and prevent attacks compared to RBAC.