TOKEN_LIST

Source	Destination	MITRE
PermissionSet	Identity	Steal Application Access Token, T1528

An identity with a role that allows listing secrets can potentially view all the secrets in a specific namespace or in the whole cluster (with ClusterRole).

Details

Obtaining the list secrets permission will be a significant advantage to an attacker. It may lead to disclosure of application credentials, SSH keys, other more privileged user’s tokens and more. All of these can be used in different ways depending on their capabilities. For our graph model we focus on the latter case of extracting K8s tokens only.

Prerequisites

Ability to interrogate the K8s API with a role allowing list access to secrets.

See the example pod spec.

Checks

Simply ask kubectl:

kubectl auth can-i list secrets

Exploitation

Simply dump all secrets using kubectl:

kubectl get secrets -o json | jq

Defences

Monitoring

• Monitor anomalous access to the secrets API including listing all secrets, unusual User-Agent headers and other outliers.

Implement least privilege access

Listing secrets is a very powerful privilege and should not be required by the majority of users. Use an automated tool such as KubeHound to search for any risky permissions and users in the cluster and look to eliminate them.

Calculation

• TokenList
• TokenListNamespace

References:

• Official Kubernetes documentation: Secrets
• Securing Kubernetes Clusters by Eliminating Risky Permissions
• Official Kubernetes documentation: List Secret Risks