catalog logoThe IAM Privilege Catalog

services / Google Cloud / Secrets

A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data.

By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.

container.​secrets.​get

By default, secrets are stored unencrypted in Kubernetes, and anyone who can read the secret has access to its contents.

Risks

  1. Cryptographic exfiltration (CRITICAL)
  2. Data exfiltration (CRITICAL)
  3. Data discovery (LOW)
  4. Infrastructure discovery (LOW)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​kubernetes.​io/​docs/​concepts/​configuration/​secret
  • https:​/​/​kubernetes.​io/​docs/​concepts/​security/​secrets-​good-​practices/​

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog