Use secrets as files instead of environment variables
Error: Secrets used as environment variables
Bridgecrew Policy ID: BC_K8S_33
Checkov Check ID: CKV_K8S_35
Severity: LOW
Secrets used as environment variables
Description
Secrets can be mounted as data volumes or exposed as environment variables and used by a container in a pod to interact with external systems on your behalf. Secrets can also be used by other parts of the system, without being directly exposed to the pod.
Benefits for storing secrets as files include: setting file permissions, projects of secret keys to specific paths, and consuming secret values from volumes.
Fix - Buildtime
Kubernetes
- Resource: Container
- Arguments:
env:valueFrom:secretKeyRef - uses a secret in an environment variable in a Pod
envFrom:secretRef - defines all of the secret’s data as the container environment variables
apiVersion: v1
kind: Pod
metadata:
name: <pod name>
spec:
containers:
- name: <container name>
image: <image>
env:
- name: <env name>
valueFrom:
- secretKeyRef:
- name: <secret key name>
- key: <secret key>
apiVersion: v1
kind: Pod
metadata:
name: <pod name>
spec:
containers:
- name: <contianer name>
image: <image>
envFrom:
- - secretRef:
- name: <secret name>
Updated 10 months ago