C-0015 - List Kubernetes secrets


AllControls, ClusterScan, MITRE



Description of the the issue

A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services.

Related resources

ClusterRole, ClusterRoleBinding, Role, RoleBinding

What does this control test

Alerting on users which have get/list/watch RBAC permissions on secrets.


Monitor and approve list of users, groups and service accounts that can access secrets. Use exception mechanism to prevent repetitive the notifications.


kind: Role
apiVersion: rbac.authorization.k8s.io/v1
  namespace: default
  name: pod-exec
- apiGroups: ["*"]
  resources: ["secrets"] # we look for this resource or *
  verbs: ["get","list","watch"]	   # we look for this verb or *