Modify secrets in a namespace
Tampering
Critical
Overview
| Field | Value |
|---|---|
| ID | 1013 |
| Name | Modify secrets in a namespace |
| Risk Category | Tampering |
| Risk Level | Critical |
| Role Type | Role |
| API Groups | core |
| Resources | secrets |
| Verbs | create, update, patch, delete |
| Tags | Persistence PotentialPrivilegeEscalation SecretAccess Tampering |
Description
Grants permission to create, update, patch, or delete secrets within a specific namespace. This allows an attacker to tamper with sensitive credentials, potentially escalate privileges by modifying service account tokens or application secrets, and establish persistence within that namespace.
Abuse Scenarios
- Create a new secret with arbitrary data in the namespace.
kubectl create secret generic <new-secret-name> --from-literal=malicious_key=malicious_value -n <namespace>
# Example: kubectl create secret generic my-app-backdoor-token --from-literal=token=eviltoken -n default
- Patch an existing secret to change its data within the namespace.
# NEW_VALUE_B64=$(echo -n "new_value" | base64)
# kubectl patch secret <secret-name> -n <namespace> --type='json' -p='[{"op": "replace", "path": "/data/<key>", "value": "'"$NEW_VALUE_B64"'"}]'
kubectl patch secret <secret-name> -n <namespace> --type='json' -p='[{"op": "replace", "path": "/data/<key>", "value": "<base64-encoded-new-value>"}]'
- Delete a critical secret within the namespace, causing disruption.
kubectl delete secret <secret-name> -n <namespace>
# Example: kubectl delete secret my-app-db-password -n production