Modify secrets cluster-wide

Overview

Field	Value
ID	1012
Name	Modify secrets cluster-wide
Risk Category	Tampering
Risk Level	Critical
Role Type	ClusterRole
API Groups	core
Resources	secrets
Verbs	create, update, patch, delete
Tags	ClusterWideSecretAccess Persistence PrivilegeEscalation Tampering

Description

Allows creating, updating, patching, or deleting secrets in any namespace across the cluster. This is highly critical as it enables an attacker to inject malicious credentials, tamper with existing secrets, or delete critical ones, leading to privilege escalation, persistence, and service disruption.

Abuse Scenarios

Create a new secret with arbitrary data in any namespace.

kubectl create secret generic <new-secret-name> --from-literal=malicious_key=malicious_value -n <namespace>
# Example: kubectl create secret generic backdoor-creds --from-literal=user=admin --from-literal=pass=pwned -n kube-system

Patch an existing secret to change its data (e.g., inject malicious credentials).

# First, get the current secret data, base64 encode your new value, then patch.
# Example: Change a database password in a secret
# NEW_PASS_B64=$(echo -n "new_malicious_password" | base64)
# kubectl patch secret <secret-name> -n <namespace> --type='json' -p='[{"op": "replace", "path": "/data/password", "value": "'"$NEW_PASS_B64"'"}]'
kubectl patch secret <secret-name> -n <namespace> --type='json' -p='[{"op": "replace", "path": "/data/<key>", "value": "<base64-encoded-new-value>"}]'

Delete a critical secret, causing application disruption.

kubectl delete secret <secret-name> -n <namespace>
# Example: kubectl delete secret kubernetes-dashboard-token-xyz -n kubernetes-dashboard