C-0186 - Minimize access to secrets


cis-v1.23-t1.0.1, cis-eks-t1.2.0, cis-aks-t1.2.0



Description of the the issue

Inappropriate access to secrets stored within the Kubernetes cluster can allow for an attacker to gain additional access to the Kubernetes cluster or external resources whose credentials are stored as secrets.

Related resources

ClusterRole, ClusterRoleBinding, Role, RoleBinding

What does this control test

Check which subjects have RBAC permissions to get, list or watch Kubernetes secrets.

How to check it manually

Review the users who have get, list or watch access to secrets objects in the Kubernetes API.


Where possible, remove get, list and watch access to secret objects in the cluster.

Impact Statement

Care should be taken not to remove access to secrets to system components which require this for their operation

Default Value

By default in a kubeadm cluster the following list of principals have get privileges on secret objects

CLUSTERROLEBINDING                                    SUBJECT                             TYPE            SA-NAMESPACE
cluster-admin                                         system:masters                      Group           
system:controller:clusterrole-aggregation-controller  clusterrole-aggregation-controller  ServiceAccount  kube-system
system:controller:expand-controller                   expand-controller                   ServiceAccount  kube-system
system:controller:generic-garbage-collector           generic-garbage-collector           ServiceAccount  kube-system
system:controller:namespace-controller                namespace-controller                ServiceAccount  kube-system
system:controller:persistent-volume-binder            persistent-volume-binder            ServiceAccount  kube-system
system:kube-controller-manager                        system:kube-controller-manager      User 


No example