☑️ Prevent access to secrets

The Kubernetes API stores secrets, which may be service account tokens for the Kubernetes API or credentials used by workloads in the cluster. Access to these secrets should be restricted to the smallest possible group of users to reduce the risk of privilege escalation.

Targeted objects by this rule (types of kind): Role / ClusterRole

Complexity: medium (What does this mean?)

Policy as code identifier: CIS_INVALID_VERB_SECRETS

This rule will fail

If get, list, or watch permissions are given to the secrets resource:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
rules:
  - resources: ["secrets"]
    verbs: ["get"]

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent access to secrets [1 occurrence]
💡 Incorrect value/s for key `verbs` - access to secrets should be restricted to the smallest possible group of users to reduce the risk of privilege escalation

How to fix this failure

Remove get, list, or watch permissions from the secrets resource.

This rule will fail​

Rule output in the CLI​

How to fix this failure​

Read more​

This rule will fail

Rule output in the CLI

How to fix this failure

Read more