Kubernetes Secrets Exposure

kubernetes-secrets-exposure

Attacker accesses Kubernetes secrets stored in etcd, which may contain credentials, API keys, TLS certificates, and other sensitive data often stored without encryption-at-rest by default

Information Disclosure

MITRE ATT&CK techniques

ID	Name	Tactic
T1552.007	Container API	Credential Access
T1552	Unsecured Credentials	Credential Access

Common Weakness Enumeration

CWE-522
CWE-312

Mitigating controls

ctrl-k8ssecret-1: Enable etcd encryption-at-rest using EncryptionConfiguration
ctrl-k8ssecret-2: Use external secrets management (Vault, AWS Secrets Manager) instead of native Kubernetes secrets
ctrl-k8ssecret-3: Implement strict RBAC policies limiting access to secrets
ctrl-k8ssecret-4: Enable audit logging for all secrets access
ctrl-k8ssecret-5: Use sealed-secrets or external-secrets operator for GitOps workflows

References

https://kubernetes.io/docs/concepts/configuration/secret/
https://csrc.nist.gov/pubs/sp/800/190/final