No ServiceAccount/Node should be able to read all secrets

Error: No ServiceAccount/Node should be able to read all secrets

Bridgecrew Policy ID: BC_K8S_119
Checkov Check ID: CKV2_K8S_5
Severity: High

No ServiceAccount/Node should be able to read all secrets

Description

In Kubernetes, a ServiceAccount is an account that is associated with a specific service. A ServiceAccount can be granted specific permissions, known as "roles," that determine what actions it is allowed to perform within a Kubernetes cluster.

One potential issue with ServiceAccounts is that they could potentially be granted the ability to read all secrets in a Kubernetes cluster. This would allow the ServiceAccount to access sensitive information such as passwords, API keys, and other sensitive data that is stored as secrets in the cluster.

Allowing a ServiceAccount to read all secrets could pose a security risk to the cluster, as it could potentially allow unauthorized access to sensitive information. Therefore, it is generally best to avoid granting ServiceAccounts the ability to read all secrets in a cluster.

It is also important to note that nodes, which are the physical or virtual machines that run the Kubernetes cluster, can also potentially be granted the ability to read all secrets. Therefore, it is also important to ensure that nodes do not have this ability to prevent potential unauthorized access to sensitive information.

Fix - Buildtime

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-service-account
  annotations:
    authorization.k8s.io/get: "[]"