Prefer using secrets as files over secrets as environment variables

kubernetes

Classification:

compliance

Framework:

cis-kubernetes

Control:

5.4.1

Set up the kubernetes integration.

Description

Kubernetes supports mounting secrets as data volumes or as environment variables. Minimize the use of environment variable secrets.

Rationale

It is reasonably common for application code to log out its environment (particularly in the event of an error). This will include any secret values passed in as environment variables, so secrets can easily be exposed to any user or entity who has access to the logs.

Audit

Run the following command to find references to objects which use environment variables defined from secrets: kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A

Remediation

If possible, rewrite application code to read secrets from mounted secret files, rather than from environment variables.

Impact

Application code which expects to read secrets in the form of environment variables would need modification.

Default value

By default, secrets are not defined.

References

  1. https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets Note: Mounting secrets as volumes has the additional benefit that secret values can be updated without restarting the pod.

CIS controls

Version 7.14.4 Encrypt All Sensitive Information in Transit Version 7.14.8 Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, to access the information.