Modify ConfigMaps cluster-wide
Tampering
Critical
Overview
| Field | Value |
|---|---|
| ID | 1024 |
| Name | Modify ConfigMaps cluster-wide |
| Risk Category | Tampering |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | core |
| Resources | configmaps |
| Verbs | create, update, patch, delete |
| Tags | ConfigMapAccess PotentialPrivilegeEscalation Tampering |
Description
Allows creating, updating, patching, or deleting ConfigMaps in any namespace. This enables an attacker to tamper with application configurations across the cluster, potentially leading to misconfigurations, denial of service, or privilege escalation if applications consume malicious configurations.
Abuse Scenarios
- Create a new ConfigMap with malicious configuration in any namespace.
kubectl create configmap <new-cm-name> --from-literal=malicious_setting=true -n <namespace>
# Example: kubectl create configmap backdoor-config --from-literal=debug_mode=true -n kube-system
- Patch an existing ConfigMap to alter application behavior.
kubectl patch configmap <configmap-name> -n <namespace> --type='json' -p='[{"op": "replace", "path": "/data/<key>", "value": "<new-value>"}]'
# Example: kubectl patch configmap my-app-config -n default --type='json' -p='[{"op": "replace", "path": "/data/log_level", "value": "DEBUG"}]'
- Delete a critical ConfigMap, causing application disruption.
kubectl delete configmap <configmap-name> -n <namespace>
# Example: kubectl delete configmap coredns -n kube-system