4.1.2 Minimize access to secrets

Information

The Kubernetes API stores secrets, which may be service account tokens for the Kubernetes API or credentials used by workloads in the cluster. Access to these secrets should be restricted to the smallest possible group of users to reduce the risk of privilege escalation.

Rationale:

Inappropriate access to secrets stored within the Kubernetes cluster can allow for an attacker to gain additional access to the Kubernetes cluster or external resources whose credentials are stored as secrets.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Where possible, remove get, list and watch access to secret objects in the cluster.

Impact:

Care should be taken not to remove access to secrets to system components which require this for their operation

Default Value:

By default in a kubeadm cluster the following list of principals have get privileges on secret objects

CLUSTERROLEBINDING SUBJECT TYPE SA-NAMESPACE

cluster-admin system:masters Group

system:controller:clusterrole-aggregation-controller clusterrole-aggregation-controller ServiceAccount kube-system

system:controller:expand-controller expand-controller ServiceAccount kube-system

system:controller:generic-garbage-collector generic-garbage-collector ServiceAccount kube-system

system:controller:namespace-controller namespace-controller ServiceAccount kube-system

system:controller:persistent-volume-binder persistent-volume-binder ServiceAccount kube-system

system:kube-controller-manager system:kube-controller-manager User

See Also

https://workbench.cisecurity.org/files/2764