Skip to main content

☑️ Prevent use of secrets as environment variables

Kubernetes supports mounting secrets as data volumes or as environment variables.
It is reasonably common for application code to log out its environment (particularly in the event of an error). This will include any secret values passed in as environment variables, so secrets can easily be exposed to any user or entity who has access to the logs.

Targeted objects by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job

Complexity: hard (What does this mean?)

Policy as code identifier: CIS_INVALID_KEY_SECRETKEYREF_SECRETREF


This rule will fail​

If secrets are used as environment variables:

apiVersion: v1
kind: Pod
spec:
containers:
- env:
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password

Rule output in the CLI​

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent use of secrets as environment variables [1 occurrence]
💡 Incorrect key `secretKeyRef`/`secretRef` - mount secrets as files and not as env variables to avoid exposing sensitive data

How to fix this failure​

Mount secrets as files instead:

apiVersion: v1
kind: Pod
spec:
volumes:
- name: secret-volume
secret:
secretName: ssh-key-secret
containers:
- name: ssh-test-container
image: mySshImage
volumeMounts:
- name: secret-volume
readOnly: true
mountPath: "/etc/secret-volume"

Read more​