Read pod logs in a namespace
Information Disclosure
Medium
Overview
| Field | Value |
|---|---|
| ID | 1019 |
| Name | Read pod logs in a namespace |
| Risk Category | Information Disclosure |
| Risk Level | Medium |
| Role Type | Role |
| API Groups | core |
| Resources | pods/log |
| Verbs | get |
| Tags | DataExposure InformationDisclosure LogAccess |
Description
Grants permission to read logs from pods within a specific namespace. This can expose sensitive application data, credentials, or operational details if present in the logs, leading to information disclosure.
Abuse Scenarios
- Retrieve logs from a specific pod within the namespace.
kubectl logs <pod-name> -n <namespace>
# Example: kubectl logs my-web-app-pod -n production
- Retrieve logs from a specific container in a pod within the namespace.
kubectl logs <pod-name> -n <namespace> -c <container-name>
# Example: kubectl logs my-app-pod -n default -c init-db