C-0012 - Applications credentials in configuration files

Framework

WorkloadScan, ClusterScan, security, MITRE, ArmoBest, SOC2, NSA, AllControls

Severity

High

Description of the the issue

Developers store secrets in the Kubernetes configuration files, such as environment variables in the pod configuration. Such behavior is commonly seen in clusters that are monitored by Azure Security Center. Attackers who have access to those configurations, by querying the API server or by accessing those files on the developer’s endpoint, can steal the stored secrets and use them.Note, this control is configurable. See below the details.

Related resources

ConfigMap, CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control test

Check if the pod has sensitive information in environment variables, by using list of known sensitive key names. Check if there are configmaps with sensitive information.

Remediation

Use Kubernetes secrets or Key Management Systems to store credentials.

Configuration

This control can be configured using the following parameters. Read CLI/UI documentation about how to change parameters.

Sensitive Values

sensitiveValues
Strings that identify a value that Kubescape believes should be stored in a Secret, and not in a ConfigMap or an environment variable.

Allowed Values

sensitiveValuesAllowed
Reduce false positives with known values.

Sensitive Keys

sensitiveKeyNames
Key names that identify a potential value that should be stored in a Secret, and not in a ConfigMap or an environment variable.

Allowed Keys

sensitiveKeyNamesAllowed
Reduce false positives with known key names.

Example

No example