C-0015 - List Kubernetes secrets

Framework

ClusterScan, MITRE, AllControls

Severity

High

Description of the the issue

A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services.

Related resources

ClusterRole, ClusterRoleBinding, Role, RoleBinding

What does this control test

Alerting on users which have get/list/watch RBAC permissions on secrets.

Remediation

Monitor and approve list of users, groups and service accounts that can access secrets. Use exception mechanism to prevent repetitive the notifications.

Example

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-exec
rules:
- apiGroups: ["*"]
  resources: ["secrets"] # we look for this resource or *
  verbs: ["get","list","watch"]	   # we look for this verb or *