services / Azure / Kubernetes ConfigMaps

Kubernetes ConfigMap objects within a Fleet member cluster. ConfigMaps store non-confidential application and cluster configuration as key-value data consumed by workloads.

Although intended for non-secret config, ConfigMaps very frequently contain sensitive values (connection strings, endpoints, tokens, and misplaced credentials), so they are treated as sensitive configuration data.


Microsoft.​ContainerService/​fleets/​members/​configmaps/​read

Reading ConfigMaps exports application/cluster configuration that frequently contains connection strings, endpoints, and embedded credentials — direct data exfiltration.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ContainerService
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog