Roles and cluster roles should not grant ‘get’, ‘list’, or ‘watch’ permissions for secrets

Description

RBAC resources in Kubernetes are used to grant access to get, list, and watch secrets on the Kubernetes API. Restrict use of these permissions to the smallest set of users and service accounts as possible.

Remediation Steps

  • Ensure roles and cluster roles do not have get, list, or watch permissions for secrets.

Kubernetes Manifest (YAML)

Example Configuration

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: example-name
rules:
  - apiGroups: [""] # "" indicates the core API group
    resources: ["services", "endpoints", "pods"]
    verbs: ["get", "list", "watch"]
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: example-name
  name: example-name
rules:
  - apiGroups: [""] # "" indicates the core API group
    resources: ["services", "endpoints", "pods"]
    verbs: ["get", "list", "watch"]