Overly permissive Kubernetes configurations—such as excessively broad RBAC permissions and overly open network policies—facilitate privilege escalation and lateral movement, yet existing approaches rely predominantly on static analysis, failing to capture dynamic runtime requirements. This paper introduces KubeGuard, the first runtime log-driven, LLM-augmented framework for minimal-privilege configuration optimization. KubeGuard employs a modular prompt chain to jointly analyze YAML manifests and cluster runtime logs, translating observed operational behavior into actionable, security-compliant configuration recommendations. It automatically generates and refines RBAC roles, network policies, and deployment resource constraints. Experimental evaluation demonstrates that KubeGuard significantly outperforms baseline methods in precision, recall, and F1-score, while supporting both proprietary and open-source LLMs. By grounding configuration hardening in actual runtime behavior, KubeGuard effectively bridges the gap between declarative security policies and operational reality.

The widespread adoption of Kubernetes (K8s) for orchestrating cloud-native applications has introduced significant security challenges, such as misconfigured resources and overly permissive configurations. Failing to address these issues can result in unauthorized access, privilege escalation, and lateral movement within clusters. Most existing K8s security solutions focus on detecting misconfigurations, typically through static analysis or anomaly detection. In contrast, this paper presents KubeGuard, a novel runtime log-driven recommender framework aimed at mitigating risks by addressing overly permissive configurations. KubeGuard is designed to harden K8s environments through two complementary tasks: Resource Creation and Resource Refinement. It leverages large language models (LLMs) to analyze manifests and runtime logs reflecting actual system behavior, using modular prompt-chaining workflows. This approach enables KubeGuard to create least-privilege configurations for new resources and refine existing manifests to reduce the attack surface. KubeGuard's output manifests are presented as recommendations that users (e.g., developers and operators) can review and adopt to enhance cluster security. Our evaluation demonstrates that KubeGuard effectively generates and refines K8s manifests for Roles, NetworkPolicies, and Deployments, leveraging both proprietary and open-source LLMs. The high precision, recall, and F1-scores affirm KubeGuard's practicality as a framework that translates runtime observability into actionable, least-privilege configuration guidance.