Back to all scenarios
Scenario #296
Security
Kubernetes v1.23, Self-Hosted

Workload with Wildcard RBAC Access to All Secrets

A microservice was granted get and list access to all secrets cluster-wide using *.

Find this helpful?
What Happened

Developers gave overly broad access to a namespace-wide controller, leading to accidental exposure of unrelated team secrets.

Diagnosis Steps
  • 1Audited RBAC for secrets access.
  • 2Found RoleBinding with resources: [“secrets”], verbs: [“get”, “list”], resourceNames: ["*"].
Root Cause

Overly broad RBAC permissions in service manifest.

Fix/Workaround
• Replaced wildcard permissions with explicit named secrets.
• Enabled audit logging on all secrets API calls.
Lessons Learned

* in RBAC is often overkill and dangerous.

How to Avoid
  • 1Use least privilege principle.
  • 2Validate RBAC via CI/CD linting tools.
Previous ScenarioNext Scenario