Detects Kubernetes audit events where the authenticated user is a node identity (system:node:<nodename>) or a pod service account (system:serviceaccount:<namespace>:<name>) performing get or list operations on the secrets resource. This pattern can indicate credential access attempts where an actor is enumerating tokens, TLS keys, registry credentials, or other sensitive secret data. Legitimate in-cluster controllers may read secrets they manage, so baselining and context is essential to reduce noise. Triage should consider namespace scope, user agent, RBAC bindings, and whether the identity should touch those secret names at all. The rule supports investigation steps to map the identity to node/workload RBAC, correlates with related events (pod exec, token creation, secret modifications), and compares against approved maintenance windows or node management paths. False positives can arise from controllers reconciling secrets (e.g., cert-manager, external-secrets) or during deployments. Remediation, if malicious, includes revoking tokens/node credentials, rotating exposed secrets, tightening RBAC to least privilege, and isolating the affected workload. This maps to MITRE ATT&CK T1552 (Credential Access), subtechnique Container API (T1552.007).