services / Kubernetes / Secrets
A Kubernetes Secret is mounted as a volume on Pods. Secrets are similar to ConfigMaps but are meant for storing sensitive data.
By default, secrets are stored unencrypted, and anyone who can read a Secret can read its contents (its `data` field). The Secret contents are mounted inside pods as files in the file system. Someone with ability to gain access into a Pod may freely read the contents of the secret.
core/secrets.list
List all secrets in a specific namespace. Listing also allows reading the data field of each secret.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security