Why kube apiserver listing all secrets?

I’ve got AWS EKS audit logs turned on and added some alarms, I just saw an action made by:

"user": {
    "username": "system:kube-controller-manager",
    "groups": [

and also by apiserver, to list all secrets. Request URI:


I understand that system resources like apisever or kube-controller-manager may want to watch secrets, but why/when would they list them?

Full audit log:

  "kind": "Event",
  "apiVersion": "audit.k8s.io/v1",
  "level": "Metadata",
  "auditID": "yyy",
  "stage": "ResponseComplete",
  "requestURI": "/api/v1/secrets?limit=500&resourceVersion=0",
  "verb": "list",
  "user": {
    "username": "system:apiserver",
    "uid": "yyy-3867-49cb-ab1b-yyy",
    "groups": [
  "sourceIPs": [
  "userAgent": "kube-apiserver/v1.24.15 (linux/amd64) kubernetes/af0byyy",
  "objectRef": {
    "resource": "secrets",
    "apiVersion": "v1"
  "responseStatus": {
    "metadata": {},
    "code": 200
  "requestReceivedTimestamp": "2023-07-18T19:55:31.417944Z",
  "stageTimestamp": "2023-07-18T19:55:31.420243Z",
  "annotations": {
    "authorization.k8s.io/decision": "allow",
    "authorization.k8s.io/reason": ""