TOKEN_LIST
Source | Destination | MITRE |
---|---|---|
PermissionSet | Identity | Steal Application Access Token, T1528 |
An identity with a role that allows listing secrets can potentially view all the secrets in a specific namespace or in the whole cluster (with ClusterRole).
Details
Obtaining the list secrets permission will be a significant advantage to an attacker. It may lead to disclosure of application credentials, SSH keys, other more privileged user’s tokens and more. All of these can be used in different ways depending on their capabilities. For our graph model we focus on the latter case of extracting K8s tokens only.
Prerequisites
Ability to interrogate the K8s API with a role allowing list access to secrets.
See the example pod spec.
Checks
Simply ask kubectl:
Exploitation
Simply dump all secrets using kubectl:
Defences
Monitoring
- Monitor anomalous access to the secrets API including listing all secrets, unusual User-Agent headers and other outliers.
Implement least privilege access
Listing secrets is a very powerful privilege and should not be required by the majority of users. Use an automated tool such as KubeHound to search for any risky permissions and users in the cluster and look to eliminate them.