Profile applicability: Level 1
Kubernetes supports mounting secrets as data volumes or as environment variables.
Minimize the use of environment variable secrets.
It is reasonably common for application code to log out its environment (particularly
in the event of an error). This will include any secret values passed in as environment
variables, so secrets can easily be exposed to any user or entity who has access to
the logs.
 |
NoteBy default, secrets are not defined.
|
Impact
Application code which expects to read secrets in the form of environment variables
would need modification.
Audit
Run the following command to find references to objects which use environment variables
defined from secrets.
kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind}
{.metadata.name} {"\n"}{end}' -A
Remediation
If possible, rewrite application code to read secrets from mounted secret files, rather
than from environment variables.
|
NoteMounting secrets as volumes has the additional benefit that secret values can be updated
without restarting the pod
|