C-0186 - Minimize access to secrets

Framework

cis-aks-t1.2.0, cis-eks-t1.2.0, cis-v1.23-t1.0.1

Severity

Medium

Description of the the issue

Inappropriate access to secrets stored within the Kubernetes cluster can allow for an attacker to gain additional access to the Kubernetes cluster or external resources whose credentials are stored as secrets.

Related resources

ClusterRole, ClusterRoleBinding, Role, RoleBinding

What does this control test

Check which subjects have RBAC permissions to get, list or watch Kubernetes secrets.

How to check it manually

Review the users who have get, list or watch access to secrets objects in the Kubernetes API.

Remediation

Where possible, remove get, list and watch access to secret objects in the cluster.

Impact Statement

Care should be taken not to remove access to secrets to system components which require this for their operation

Default Value

By default in a kubeadm cluster the following list of principals have get privileges on secret objects CLUSTERROLEBINDING SUBJECT TYPE SA-NAMESPACEcluster-admin system:masters Group system:controller:clusterrole-aggregation-controller clusterrole-aggregation-controller ServiceAccount kube-systemsystem:controller:expand-controller expand-controller ServiceAccount kube-systemsystem:controller:generic-garbage-collector generic-garbage-collector ServiceAccount kube-systemsystem:controller:namespace-controller namespace-controller ServiceAccount kube-systemsystem:controller:persistent-volume-binder persistent-volume-binder ServiceAccount kube-systemsystem:kube-controller-manager system:kube-controller-manager User

Example

No example