Kubernetes must limit Secret access on a need-to-know basis.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-274884 | CNTR-K8-001163 | SV-274884r1107236_rule | CCI-002476 | medium |
| Description | ||||
| Kubernetes secrets may store sensitive information such as passwords, tokens, and keys. Access to these secrets should be limited to a need-to-know basis via Kubernetes RBAC. | ||||
| STIG | Date | |||
| Kubernetes Security Technical Implementation Guide | 2025-05-16 | |||
Related Frameworks
2 paths across 2 frameworks
Related Frameworks
NIST 800-531 mapping
SC-28(1)
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI1 mapping
CCI-002476
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-274884r1107236_chk)
Review the Kubernetes accounts and their corresponding roles.
If any accounts have read (list, watch, get) access to Secrets without a documented organizational requirement, this is a finding.
Run the below command to list the workload resources for applications deployed to Kubernetes:
kubectl get all -A -o yaml
If Secrets are attached to applications without a documented requirement, this is a finding.
Fix Text (F-78890r1107235_fix)
For Kubernetes accounts that have read access to Secrets without a documented requirement, modify the corresponding Role or ClusterRole to remove list, watch, and get privileges for Secrets.