|Steal Application Access Token, T1528
An identity with a role that allows listing secrets can potentially view all the secrets in a specific namespace or in the whole cluster (with ClusterRole).
Obtaining the list secrets permission will be a significant advantage to an attacker. It may lead to disclosure of application credentials, SSH keys, other more privileged user’s tokens and more. All of these can be used in different ways depending on their capabilities. For our graph model we focus on the latter case of extracting K8s tokens only.
Ability to interrogate the K8s API with a role allowing list access to secrets.
See the example pod spec.
Simply ask kubectl:
Simply dump all secrets using kubectl:
- Monitor anomalous access to the secrets API including listing all secrets, unusual User-Agent headers and other outliers.
Implement least privilege access
Listing secrets is a very powerful privilege and should not be required by the majority of users. Use an automated tool such as KubeHound to search for any risky permissions and users in the cluster and look to eliminate them.