Kubernetes must limit Secret access on a need-to-know basis.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-274884	SRG-APP-000429-CTR-001060	CNTR-K8-001163	SV-274884r1107236_rule	2025-05-16	2

Description
Kubernetes secrets may store sensitive information such as passwords, tokens, and keys. Access to these secrets should be limited to a need-to-know basis via Kubernetes RBAC.

ℹ️ Check
Review the Kubernetes accounts and their corresponding roles. If any accounts have read (list, watch, get) access to Secrets without a documented organizational requirement, this is a finding. Run the below command to list the workload resources for applications deployed to Kubernetes: kubectl get all -A -o yaml If Secrets are attached to applications without a documented requirement, this is a finding.

ℹ️ Check

Review the Kubernetes accounts and their corresponding roles. If any accounts have read (list, watch, get) access to Secrets without a documented organizational requirement, this is a finding. Run the below command to list the workload resources for applications deployed to Kubernetes: kubectl get all -A -o yaml If Secrets are attached to applications without a documented requirement, this is a finding.

✔️ Fix
For Kubernetes accounts that have read access to Secrets without a documented requirement, modify the corresponding Role or ClusterRole to remove list, watch, and get privileges for Secrets.