C-0207 - Prefer using secrets as files over secrets as environment variables

Framework

WorkloadScan, cis-v1.23-t1.0.1, cis-aks-t1.2.0, cis-eks-t1.2.0

Severity

Medium

Description of the the issue

It is reasonably common for application code to log out its environment (particularly in the event of an error). This will include any secret values passed in as environment variables, so secrets can easily be exposed to any user or entity who has access to the logs.

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control test

Check if pods have secrets in their environment variables

How to check it manually

Run the following command to find references to objects which use environment variables defined from secrets.

kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A

Remediation

If possible, rewrite application code to read secrets from mounted secret files, rather than from environment variables.

Impact Statement

Application code which expects to read secrets in the form of environment variables would need modification

Default Value

By default, secrets are not defined

Example

No example