Pods should not use secrets stored in environment variables

Description

Providing access to secrets via volume mounts is preferred. Any secrets stored in environment variables could be exposed if the environment is logged or otherwise exposed by an application.

Remediation Steps

Kubernetes Manifest (YAML)

Ensure that each container in a Kubernetes.Pod does not have an env with valueFrom.secretKeyRef populated. One alternative is to mount a secret in a volume in a pod.

Example Configuration

apiVersion: v1
kind: Pod
metadata:
  name: hello
spec:
  containers:
  - name: hello
    image: busybox
    command: ['sh', '-c', 'echo "Hello, Kubernetes!" && sleep 3600']
    volumeMounts:
    - name: hello
      mountPath: "/etc/hello"
      readOnly: true
  volumes:
  - name: hello
    secret:
      secretName: mysecret
# other required fields here