Secrets used as environment variables

Docs > Plateforme de sécurité Datadog > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Secrets used as environment variables

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: 3d658f8b-d988-41a0-a841-40043121de1e

Cloud Provider: Kubernetes

Platform: Kubernetes

Severity: Low

Category: Secret Management

Learn More

Provider Reference

Description

Containers and initContainers must not use secrets as environment variables. This rule flags environment variables that reference secrets via env[].valueFrom.secretKeyRef and envFrom[].secretRef in container specs. It reports an IncorrectValue issue including the resource name, spec path, and the specific key that is defined.

Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: secret-env-pod
spec:
  containers:
  - name: mycontainer
    image: redis
  restartPolicy: Never

Non-Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: secret-env-pod
spec:
  containers:
  - name: mycontainer
    image: redis
    env:
      - name: SECRET_USERNAME
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: username
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: password
  restartPolicy: Never
---
apiVersion: v1
kind: Pod
metadata:
  name: envfrom-secret
spec:
  containers:
  - name: envars-test-container
    image: nginx
    envFrom:
    - secretRef:
        name: test-secret