Back to all scenarios
Scenario #283
Security
Kubernetes v1.24, GKE

Kubernetes Secrets Mounted in World-Readable Volumes

Secret volumes were mounted with 0644 permissions, allowing any user process inside the container to read them.

Find this helpful?
What Happened

A poorly configured application image had other processes running that could access mounted secrets (e.g., service credentials).

Diagnosis Steps
  • 1Reviewed mounted secret volumes and permissions.
  • 2Identified 0644 file mode on mounted files.
  • 3Verified multiple processes in the pod could access the secrets.
Root Cause

Secret volume default mode wasn't overridden.

Fix/Workaround
• Set defaultMode: 0400 on all secret volumes.
• Isolated processes via containers.
Lessons Learned

Least privilege applies to file access too.

How to Avoid
  • 1Set correct permissions on secret mounts.
  • 2Use multi-container pods to isolate secrets access.
Previous ScenarioNext Scenario