Minimize access to secrets (RBAC)

The Kubernetes API stores secrets, which may be service account tokens for the Kubernetes API or credentials used by workloads in the cluster. Access to these secrets should be restricted to the smallest possible group of users to reduce the risk of privilege escalation. Inappropriate access to secrets stored within the Kubernetes cluster can allow for an attacker to gain additional access to the Kubernetes cluster or external resources whose credentials are stored as secrets.

Risk Level: Low
Cloud Entity: Kubernetes Role
CloudGuard Rule ID: D9.K8S.IAM.33
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

KubernetesRole should not have rules with [ (resources with ['secret']) or (resources contain ['%*%'])]

REMEDIATION

Where possible, remove get, list and watch access to secret objects in the cluster.

Kubernetes Role

An RBAC Role or ClusterRole contains rules that represent a set of permissions. Permissions are purely additive (there are no "deny" rules).

Compliance Frameworks

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.3.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.4.0
  • CIS Kubernetes Benchmark v1.20
  • CIS Kubernetes Benchmark v1.23
  • CIS Kubernetes Benchmark v1.24
  • CIS Kubernetes Benchmark v1.5.1
  • CIS Kubernetes Benchmark v1.6.1
  • CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.1.0
  • CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.3.0
  • CIS OpenShift Container Platform v4 Benchmark v1.1.0
  • CIS OpenShift Container Platform v4 Benchmark v1.4.0
  • Kubernetes NIST.SP.800-190
  • Kubernetes v.1.13 CloudGuard Best Practices
  • Kubernetes v.1.14 CloudGuard Best Practices
  • OpenShift Container Platform v3