Roles and cluster roles should not grant ‘get’, ‘list’, or ‘watch’ permissions for secrets¶
Description¶
RBAC resources in Kubernetes are used to grant access to get, list, and watch secrets on the Kubernetes API. Restrict use of these permissions to the smallest set of users and service accounts as possible.
Remediation Steps¶
Ensure roles and cluster roles do not have
get
,list
, orwatch
permissions forsecrets
.
Kubernetes Manifest (YAML)¶
Example Configuration¶
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: example-name
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["services", "endpoints", "pods"]
verbs: ["get", "list", "watch"]
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: example-name
name: example-name
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["services", "endpoints", "pods"]
verbs: ["get", "list", "watch"]