C-0186 - Minimize access to secrets
Framework
cis-v1.23-t1.0.1, cis-aks-t1.2.0, cis-eks-t1.2.0, SOC2
Severity
Medium
Description of the the issue
Inappropriate access to secrets stored within the Kubernetes cluster can allow for an attacker to gain additional access to the Kubernetes cluster or external resources whose credentials are stored as secrets.
Related resources
ClusterRole, ClusterRoleBinding, Role, RoleBinding
What does this control test
Check which subjects have RBAC permissions to get, list or watch Kubernetes secrets.
How to check it manually
Review the users who have get
, list
or watch
access to secrets
objects in the Kubernetes API.
Remediation
Where possible, remove get
, list
and watch
access to secret
objects in the cluster.
Impact Statement
Care should be taken not to remove access to secrets to system components which require this for their operation
Default Value
By default in a kubeadm cluster the following list of principals have get
privileges on secret
objects CLUSTERROLEBINDING SUBJECT TYPE SA-NAMESPACEcluster-admin system:masters Group system:controller:clusterrole-aggregation-controller clusterrole-aggregation-controller ServiceAccount kube-systemsystem:controller:expand-controller expand-controller ServiceAccount kube-systemsystem:controller:generic-garbage-collector generic-garbage-collector ServiceAccount kube-systemsystem:controller:namespace-controller namespace-controller ServiceAccount kube-systemsystem:controller:persistent-volume-binder persistent-volume-binder ServiceAccount kube-systemsystem:kube-controller-manager system:kube-controller-manager User
Example
No example
Updated 9 days ago