KubernetesOverview
The Kubernetes API stores secrets, which may be service account tokens for the Kubernetes API or credentials used by workloads in the cluster. Access to these secrets should be restricted to the smallest possible group of users to reduce the risk of privilege escalation.
Rationale
Inappropriate access to secrets stored within the Kubernetes cluster can allow an attacker to gain additional access to the Kubernetes cluster or external resources whose credentials are stored as secrets.
Impact
Care should be taken not to remove access to secrets to system components that require this for their operation.
Audit
Review the users who have get, list or watch access to secrets objects in the Kubernetes API.
Remediation guidance
Where possible, remove get, list, and watch access to secret objects in the cluster.
References
-
https://workbench.cisecurity.org/sections/1126661/recommendations/1838590
-
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
Multiple Remediation Paths
SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.
ASSET-LEVEL: Fix only the affected resources identified by this control.
PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.
References for Service-Wide Patterns
- Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.
Query logic
These are the stored checks tied to this control.
Kubernetes RoleBindings to Roles that have access to secrets
Connectors
Covered asset types
Expected check: eq []
{
roles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "get" }
{ verbs_INCLUDES: "list" }
{ verbs_INCLUDES: "watch" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "secrets" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{bindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
bindings {
...AssetFragment
}
}
}
Kubernetes RoleBindings to ClusterRoles that have access to secrets
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "get" }
{ verbs_INCLUDES: "list" }
{ verbs_INCLUDES: "watch" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "secrets" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{roleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
roleBindings {
...AssetFragment
}
}
}
Kubernetes ClusterRoleBindings to ClusterRoles that have access to secrets
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "get" }
{ verbs_INCLUDES: "list" }
{ verbs_INCLUDES: "watch" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "secrets" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{clusterRoleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
clusterRoleBindings {
...AssetFragment
}
}
}
