☑️ Prevent use of secrets as environment variables
Kubernetes supports mounting secrets as data volumes or as environment variables.
It is reasonably common for application code to log out its environment (particularly in the event of an error). This will include any secret values passed in as environment variables, so secrets can easily be exposed to any user or entity who has access to the logs.
Targeted objects by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job
Complexity: hard (What does this mean?)
Policy as code identifier: CIS_INVALID_KEY_SECRETKEYREF_SECRETREF
This rule will fail
If secrets are used as environment variables:
apiVersion: v1
kind: Pod
spec:
containers:
- env:
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
Rule output in the CLI
$ datree test *.yaml
>> File: failExample.yaml
❌ Prevent use of secrets as environment variables [1 occurrence]
💡 Incorrect key `secretKeyRef`/`secretRef` - mount secrets as files and not as env variables to avoid exposing sensitive data
How to fix this failure
Mount secrets as files instead:
apiVersion: v1
kind: Pod
spec:
volumes:
- name: secret-volume
secret:
secretName: ssh-key-secret
containers:
- name: ssh-test-container
image: mySshImage
volumeMounts:
- name: secret-volume
readOnly: true
mountPath: "/etc/secret-volume"