KubernetesOverview
Consider the use of an external secrets storage and management system, instead of using Kubernetes Secrets directly, if you have more complex secret management needs. Ensure the solution requires authentication to access secrets, has auditing of access to and use of secrets, and encrypts secrets. Some solutions also make it easier to rotate secrets.
Rationale
Kubernetes supports secrets as first-class objects, but care needs to be taken to ensure that access to secrets is carefully limited. Using an external secrets provider can ease the management of access to secrets, especially where secrets are used across both Kubernetes and non-Kubernetes environments.
Remediation guidance
Refer to the secrets management options offered by your cloud provider or a third-party secrets management solution.
Depending on the provider, check out the following resources:
AWS
Multiple Remediation Paths
SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.
ASSET-LEVEL: Fix only the affected resources identified by this control.
PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.
References for Service-Wide Patterns
- Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.
Query logic
These are the stored checks tied to this control.
Kubernetes Deployments with templates that use Kubernetes Secrets
Connectors
Covered asset types
Expected check: eq []
{
deployments(
where: {
podTemplate: {
OR: [
{
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
{ secretVolumes_NOT: [] }
]
}
}
) {
...AssetFragment
}
}
Kubernetes Jobs with templates that use Kubernetes Secrets
Connectors
Covered asset types
Expected check: eq []
{
jobs(
where: {
cronJobName: ""
podTemplate: {
OR: [
{
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
{ secretVolumes_NOT: [] }
]
}
}
) {
...AssetFragment
}
}
Kubernetes CronJobs with templates that use Kubernetes Secrets
Connectors
Covered asset types
Expected check: eq []
{
cronJobs(
where: {
podTemplate: {
OR: [
{
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
{ secretVolumes_NOT: [] }
]
}
}
) {
...AssetFragment
}
}Kubernetes DaemonSets with templates that use Kubernetes Secrets
Connectors
Covered asset types
Expected check: eq []
{
daemonSets(
where: {
podTemplate: {
OR: [
{
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
{ secretVolumes_NOT: [] }
]
}
}
) {
...AssetFragment
}
}
Kubernetes StatefulSets with templates that use Kubernetes Secrets
Connectors
Covered asset types
Expected check: eq []
{
statefulSets(
where: {
podTemplate: {
OR: [
{
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
{ secretVolumes_NOT: [] }
]
}
}
) {
...AssetFragment
}
}
Kubernetes ReplicaSets with templates that use Kubernetes Secrets
Connectors
Covered asset types
Expected check: eq []
{
replicaSets(
where: {
deploymentName: ""
podTemplate: {
OR: [
{
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
{ secretVolumes_NOT: [] }
]
}
}
) {
...AssetFragment
}
}
