C-0012 - Applications credentials in configuration files
Framework
ClusterScan, AllControls, ArmoBest, NSA, WorkloadScan, MITRE
Severity
High
Description of the the issue
Developers store secrets in the Kubernetes configuration files, such as environment variables in the pod configuration. Such behavior is commonly seen in clusters that are monitored by Azure Security Center. Attackers who have access to those configurations, by querying the API server or by accessing those files on the developer’s endpoint, can steal the stored secrets and use them.Note, this control is configurable. See below the details.
Related resources
ConfigMap, CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
What does this control test
Check if the pod has sensitive information in environment variables, by using list of known sensitive key names. Check if there are configmaps with sensitive information.
Remediation
Use Kubernetes secrets or Key Management Systems to store credentials.
Configuration
This control can be configured using the following parameters. Read CLI/UI documentation about how to change parameters.
Values
sensitiveValues
Secrets are stored as a key/value pair. The names of the keys/values may change from one company to the other. Below you can find some examples of popular value phrases that Kubescape is searching for
Keys
sensitiveKeyNames
Secrets are stored as a key/value pair. The names of the keys/values may change from one company to the other. Here you can find some examples of popular key phrases that Kubescape is searching for
AllowedValues
sensitiveValuesAllowed
Allowed values
Example
No example
Updated 15 days ago