C-0186 - Minimize access to secrets
Framework
cis-v1.23-t1.0.1, cis-eks-t1.2.0, cis-aks-t1.2.0
Severity
Medium
Description of the the issue
Inappropriate access to secrets stored within the Kubernetes cluster can allow for an attacker to gain additional access to the Kubernetes cluster or external resources whose credentials are stored as secrets.
Related resources
ClusterRole, ClusterRoleBinding, Role, RoleBinding
What does this control test
Check which subjects have RBAC permissions to get, list or watch Kubernetes secrets.
How to check it manually
Review the users who have get
, list
or watch
access to secrets
objects in the Kubernetes API.
Remediation
Where possible, remove get
, list
and watch
access to secret
objects in the cluster.
Impact Statement
Care should be taken not to remove access to secrets to system components which require this for their operation
Default Value
By default in a kubeadm cluster the following list of principals have get
privileges on secret
objects
CLUSTERROLEBINDING SUBJECT TYPE SA-NAMESPACE
cluster-admin system:masters Group
system:controller:clusterrole-aggregation-controller clusterrole-aggregation-controller ServiceAccount kube-system
system:controller:expand-controller expand-controller ServiceAccount kube-system
system:controller:generic-garbage-collector generic-garbage-collector ServiceAccount kube-system
system:controller:namespace-controller namespace-controller ServiceAccount kube-system
system:controller:persistent-volume-binder persistent-volume-binder ServiceAccount kube-system
system:kube-controller-manager system:kube-controller-manager User
Example
No example
Updated 8 days ago