Skip to main content

☑️ Prevent access to secrets

The Kubernetes API stores secrets, which may be service account tokens for the Kubernetes API or credentials used by workloads in the cluster. Access to these secrets should be restricted to the smallest possible group of users to reduce the risk of privilege escalation.

Targeted objects by this rule (types of kind): Role / ClusterRole

Complexity: medium (What does this mean?)

Policy as code identifier: CIS_INVALID_VERB_SECRETS


This rule will fail​

If get, list, or watch permissions are given to the secrets resource:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
rules:
- resources: ["secrets"]
verbs: ["get"]

Rule output in the CLI​

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent access to secrets [1 occurrence]
💡 Incorrect value/s for key `verbs` - access to secrets should be restricted to the smallest possible group of users to reduce the risk of privilege escalation

How to fix this failure​

Remove get, list, or watch permissions from the secrets resource.


Read more​