Pods should not use secrets stored in environment variables¶
Description¶
Providing access to secrets via volume mounts is preferred. Any secrets stored in environment variables could be exposed if the environment is logged or otherwise exposed by an application.
Remediation Steps¶
Kubernetes Manifest (YAML)¶
Ensure that each container in a Kubernetes.Pod does not have an env
with valueFrom.secretKeyRef
populated. One alternative is to mount a secret in a volume in a pod.
Example Configuration¶
apiVersion: v1
kind: Pod
metadata:
name: hello
spec:
containers:
- name: hello
image: busybox
command: ['sh', '-c', 'echo "Hello, Kubernetes!" && sleep 3600']
volumeMounts:
- name: hello
mountPath: "/etc/hello"
readOnly: true
volumes:
- name: hello
secret:
secretName: mysecret
# other required fields here