For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-kubernetes-service-account-allows-access-secrets.md.
A documentation index is available at /llms.txt.
kubernetes_role and kubernetes_cluster_role, when bound, should not include the verbs get, list, watch, or * in rules that grant access to secrets. The rule inspects kubernetes_role_binding and kubernetes_cluster_role_binding entries that bind these roles to a ServiceAccount and checks the role’s rule.verbs for any of the restricted verbs. Both single rule objects and arrays of rule entries are evaluated.
Compliant Code Examples
# Cluster Role
resource"kubernetes_cluster_role""cluster_role_name"{metadata{name="terraform-example-1"}rule{api_groups=[""]resources=["namespaces","pods"]verbs=["get","list","watch"]}}resource"kubernetes_cluster_role_binding""example"{metadata{name="terraform-example-2"}role_ref{api_group="rbac.authorization.k8s.io"kind="ClusterRole"name="cluster_role_name"}subject{kind="User"name="admin"api_group="rbac.authorization.k8s.io"}subject{kind="ServiceAccount"name="default"namespace="kube-system"}subject{kind="Group"name="system:masters"api_group="rbac.authorization.k8s.io"}}# Role
resource"kubernetes_role""role_name"{metadata{name="terraform-example"labels={test="MyRole"}}rule{api_groups=[""]resources=["pods"]resource_names=["foo"]verbs=["get","list","watch"]}rule{api_groups=["apps"]resources=["deployments"]verbs=["get","list"]}}resource"kubernetes_role_binding""example"{metadata{name="terraform-example"namespace="default"}role_ref{api_group="rbac.authorization.k8s.io"kind="Role"name="role_name"}subject{kind="User"name="admin"api_group="rbac.authorization.k8s.io"}subject{kind="ServiceAccount"name="default"namespace="kube-system"}subject{kind="Group"name="system:masters"api_group="rbac.authorization.k8s.io"}}
Non-Compliant Code Examples
# Cluster Role
resource"kubernetes_cluster_role""cluster_role_name"{metadata{name="terraform-example-1"}rule{api_groups=[""]resources=["namespaces","pods","secrets"]verbs=["get","list","watch"]}}resource"kubernetes_cluster_role_binding""example"{metadata{name="terraform-example-2"}role_ref{api_group="rbac.authorization.k8s.io"kind="ClusterRole"name="cluster_role_name"}subject{kind="User"name="admin"api_group="rbac.authorization.k8s.io"}subject{kind="ServiceAccount"name="default"namespace="kube-system"}subject{kind="Group"name="system:masters"api_group="rbac.authorization.k8s.io"}}# Role
resource"kubernetes_role""role_name"{metadata{name="terraform-example"labels={test="MyRole"}}rule{api_groups=[""]resources=["pods"]resource_names=["foo"]verbs=["get","list","watch"]}rule{api_groups=["apps"]resources=["deployments"]verbs=["get","list"]}rule{api_groups=[""]resources=["secrets"]verbs=["*"]}}resource"kubernetes_role_binding""example"{metadata{name="terraform-example"namespace="default"}role_ref{api_group="rbac.authorization.k8s.io"kind="Role"name="role_name"}subject{kind="User"name="admin"api_group="rbac.authorization.k8s.io"}subject{kind="ServiceAccount"name="default"namespace="kube-system"}subject{kind="Group"name="system:masters"api_group="rbac.authorization.k8s.io"}}
1
2
rulesets:- Terraform / Kubernetes # Rules to enforce / Kubernetes.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
