services / Google Cloud / Secrets

A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data.

By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.


container.​secrets.​update

Allows updating the contents of the secret (the `data` field) unless `immutable` property was set to true.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​kubernetes.​io/​docs/​concepts/​configuration/​secret
  • https:​/​/​kubernetes.​io/​docs/​concepts/​security/​secrets-​good-​practices/​
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog