An error occurred:

Check: CNTR-K8-001163

Kubernetes STIG: CNTR-K8-001163 (in version v2 r4)

Title

Kubernetes must limit Secret access on a need-to-know basis. (Cat II impact)

Discussion

Kubernetes secrets may store sensitive information such as passwords, tokens, and keys. Access to these secrets should be limited to a need-to-know basis via Kubernetes RBAC.

Check Content

Review the Kubernetes accounts and their corresponding roles. If any accounts have read (list, watch, get) access to Secrets without a documented organizational requirement, this is a finding. Run the below command to list the workload resources for applications deployed to Kubernetes: kubectl get all -A -o yaml If Secrets are attached to applications without a documented requirement, this is a finding.

Fix Text

For Kubernetes accounts that have read access to Secrets without a documented requirement, modify the corresponding Role or ClusterRole to remove list, watch, and get privileges for Secrets.

Additional Identifiers

Rule ID: SV-274884r1107236_rule

Vulnerability ID: V-274884

Group Title: SRG-APP-000429-CTR-001060

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002476

Implement cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined system components.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-28(1)

Cryptographic Protection