services / Google Cloud / Secrets
A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data.
By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.
container.secrets.update
Allows updating the contents of the secret (the `data` field) unless `immutable` property was set to true.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security