For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/kubernetes-service-account-allows-access-secrets.md.
A documentation index is available at /llms.txt.
Roles and ClusterRoles that are bound to a ServiceAccount should not include the get, list, watch, or * verbs on the secrets resource. The rule triggers when a Role or ClusterRole contains a rule for the secrets resource and a corresponding RoleBinding or ClusterRoleBinding references a ServiceAccount. This prevents unintended or broad access to secrets by disallowing these read or wildcard verbs for bound roles.
Compliant Code Examples
# Vulnerable Role Without Bindingkind:RoleapiVersion:rbac.authorization.k8s.io/v1metadata:namespace:assembly-prodname:testRoleWithoutBindingVulnerablerules:- apiGroups:[""]resources:["secrets"]verbs:["get","watch","list"]---# Vulnerable Role With Binding Not Service Accountkind:RoleapiVersion:rbac.authorization.k8s.io/v1metadata:namespace:assembly-prodname:testRoleWithBindingVulnerableNotSArules:- apiGroups:[""]resources:["secrets"]verbs:["get","watch","list"]---kind:RoleBindingapiVersion:rbac.authorization.k8s.io/v1metadata:name:bindingNotSATestRoleWithBindingVulnerablenamespace:bindingNotSATestRoleWithBindingVulnerableNamespacesubjects:- kind:NotServiceAccountname:testsaapiGroup:""roleRef:kind:Rolename:testRoleWithBindingVulnerableNotSAapiGroup:rbac.authorization.k8s.io---# Safe Role With Bindingkind:RoleapiVersion:rbac.authorization.k8s.io/v1metadata:namespace:assembly-prodname:testRoleWithBindingSaferules:- apiGroups:[""]resources:["secrets"]verbs:["update"]---kind:RoleBindingapiVersion:rbac.authorization.k8s.io/v1metadata:name:bindingtestRoleWithBindingSafenamespace:bindingtestRoleWithBindingSafeNamespacesubjects:- kind:ServiceAccountname:testsaapiGroup:""roleRef:kind:Rolename:testRoleWithBindingSafeapiGroup:rbac.authorization.k8s.io---# Vulnerable Role with Podkind:RoleapiVersion:rbac.authorization.k8s.io/v1metadata:namespace:assembly-prodname:testRoleVulnerablePodrules:- apiGroups:[""]resources:["pod"]verbs:["get","watch","list"]---kind:RoleBindingapiVersion:rbac.authorization.k8s.io/v1metadata:name:testRoleBindingnamespace:bindingTestWithBindingPodsubjects:- kind:ServiceAccountname:testsaapiGroup:""roleRef:kind:Rolename:testRoleVulnerablePodapiGroup:rbac.authorization.k8s.io---# Vulnerable Cluster Role Without BindingapiVersion:rbac.authorization.k8s.io/v1kind:ClusterRolemetadata:name:testClusterRoleWithoutBindingVulnerablerules:- apiGroups:[""]resources:["secrets"]verbs:["get","watch","list"]---# Vulnerable Cluster Role With Binding Not Service AccountapiVersion:rbac.authorization.k8s.io/v1kind:ClusterRolemetadata:namespace:defaultname:testClusterRoleWithBindingVulnerableNotSArules:- apiGroups:[""]# "" indicates the core API groupresources:["secrets"]verbs:["get","watch","list"]---kind:ClusterRoleBindingapiVersion:rbac.authorization.k8s.io/v1metadata:name:bindingNotSATestClusterRoleWithBindingVulnerablenamespace:bindingNotSATestClusterRoleWithBindingVulnerableNamespacesubjects:- kind:NotServiceAccountname:testsaapiGroup:""roleRef:kind:ClusterRolename:testClusterRoleWithBindingVulnerableNotSAapiGroup:rbac.authorization.k8s.io---# Safe ClusterRole With BindingapiVersion:rbac.authorization.k8s.io/v1kind:ClusterRolemetadata:namespace:defaultname:testClusterRoleWithBindingSaferules:- apiGroups:[""]# "" indicates the core API groupresources:["secrets"]verbs:["update"]---kind:ClusterRoleBindingapiVersion:rbac.authorization.k8s.io/v1metadata:name:bindingTestClusterRoleWithBindingSafenamespace:bindingTestClusterRoleWithBindingSafeNamespacesubjects:- kind:NotServiceAccountname:testsaapiGroup:""roleRef:kind:ClusterRolename:testClusterRoleWithBindingSafeapiGroup:rbac.authorization.k8s.io---# Vulnerable Cluster Role With PodapiVersion:rbac.authorization.k8s.io/v1kind:ClusterRolemetadata:name:testClusterRoleVulnerablePodrules:- apiGroups:[""]resources:["pod"]verbs:["update","list"]---kind:ClusterRoleBindingapiVersion:rbac.authorization.k8s.io/v1metadata:name:bindingTestClusterRoleWithBindingnamespace:bindingTestClusterRoleWithBindingNamespacesubjects:- kind:ServiceAccountname:testsaapiGroup:""roleRef:kind:ClusterRolename:testClusterRoleVulnerablePodapiGroup:rbac.authorization.k8s.io
