catalog logoThe IAM Privilege Catalog

services / Google Cloud / Secrets

A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data.

By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.

container.​secrets.​list

List all secrets in a specific namespace. Listing also allows reading the data field of each secret.

Risks

  1. Cryptographic exfiltration (CRITICAL)
  2. Data exfiltration (CRITICAL)
  3. Data discovery (LOW)
  4. Infrastructure discovery (LOW)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​kubernetes.​io/​docs/​concepts/​configuration/​secret
  • https:​/​/​kubernetes.​io/​docs/​concepts/​security/​secrets-​good-​practices/​

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog