Detections
Analytics
Minimize access to secrets
HIGH
Description
Description:
The Kubernetes API stores secrets, which may be service account tokens for the Kubernetes API or credentials used by workloads in the cluster. Access to these secrets should be restricted to the smallest possible group of users to reduce the risk of privilege escalation.
Rationale:
Inappropriate access to secrets stored within the Kubernetes cluster can allow for an attacker to gain additional access to the Kubernetes cluster or external resources whose credentials are stored as secrets.
Care should be taken not to remove access to secrets to system components which require this for their operation
Remediation
Where possible, remove 'get', 'list' and 'watch' access to 'secret' objects in the cluster.
Policy Details
Rule Reference ID: AC_K8S_0101
CSP: Kubernetes
Remediation Available: No
Domain: Identity and Access Management
Resource: kubernetes_role
Resource Category: Management
Resource Type: Role
Frameworks
GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0
CIS Kubernetes v1.6.1 Level 1 - Master Node
CIS Amazon Elastic Kubernetes Service (EKS) v1.1.0 Level 1
CIS Amazon Elastic Kubernetes Service (EKS) v1.3.0 Level 1
NSA CISA Kubernetes Hardening Guide 1.0
CIS Azure Kubernetes Service (AKS) v1.1.0 Level 1
CIS Azure Kubernetes Service (AKS) v1.3.0 Level 1
CIS Google Kubernetes Engine (GKE) v1.4.0 Level 1
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0
CIS Kubernetes v1.6.1 Level 1 - Master Node
CIS Amazon Elastic Kubernetes Service (EKS) v1.1.0 Level 1
CIS Amazon Elastic Kubernetes Service (EKS) v1.3.0 Level 1
NSA CISA Kubernetes Hardening Guide 1.0
CIS Azure Kubernetes Service (AKS) v1.1.0 Level 1
CIS Azure Kubernetes Service (AKS) v1.3.0 Level 1
CIS Google Kubernetes Engine (GKE) v1.4.0 Level 1