Read secrets in a namespace
Information Disclosure
Critical
Overview
| Field | Value |
|---|---|
| ID | 1011 |
| Name | Read secrets in a namespace |
| Risk Category | Information Disclosure |
| Risk Level | Critical |
| Role Type | Role |
| API Groups | core |
| Resources | secrets |
| Verbs | get, list, watch |
| Tags | CredentialAccess DataExposure InformationDisclosure SecretAccess |
Description
Permits reading all secrets within a specific namespace. Even though namespaced, this is critical as secrets store sensitive information like database credentials, API keys, and service account tokens, which can lead to data exposure and privilege escalation within or beyond the namespace.
Abuse Scenarios
- List all secrets in a specific namespace.
kubectl get secrets -n <namespace>
# Example: kubectl get secrets -n production
- Retrieve and decode a specific secret’s data within the namespace.
kubectl get secret <secret-name> -n <namespace> -o jsonpath='{.data.<key>}' | base64 -d
# Example: kubectl get secret my-db-credentials -n production -o jsonpath='{.data.password}' | base64 -d