services / Google Cloud / Kubernetes Engine Secrets

A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data.

By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.


container.​secrets.​get

By default, secrets are stored unencrypted in Kubernetes, and anyone who can read the secret has access to its contents.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​kubernetes.​io/​docs/​concepts/​configuration/​secret
  • https:​/​/​kubernetes.​io/​docs/​concepts/​security/​secrets-​good-​practices/​
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog