Ensure that an application uses secrets are as files over secrets as environment variables

Kubernetes supports mounting secrets as data volumes or as environment variables. Minimize the use of environment variable secrets. It is reasonably common for application code to log out its environment (particularly in the event of an error). This will include any secret values passed in as environment variables, so secrets can easily be exposed to any user or entity who has access to the logs.

Risk Level: High
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.CRY.16
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

KubernetesPod should not have spec.containers contain-any [ env contain-any [ valueFrom.secretKeyRef ] ] or spec.initContainers contain-any [ env contain-any [ valueFrom.secretKeyRef ] ]

REMEDIATION

If possible, rewrite application code to read secrets from mounted secret files, rather than from environment variables.

From Command Line

  1. Rewrite application to use secrets as mounted files vs as environment variables
  2. Remove secrets from 'env' section in the respective deployment files
  3. Mount a volume to hold secret details as follows:
- name: VOLUME_NAME
secret:
secretName: SECRET_NAME
  1. Use volumeMount in a container section to use this volume as follows:
- mountPath: /MOUNT_PATH
name: VOLUME_NAME
readOnly: true
  1. Apply the new deployment

References

  1. https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets
  2. https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/
  3. https://blog.nillsf.com/index.php/2020/02/24/dont-use-environment-variables-in-kubernetes-to-consume-secrets/

Pods

Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.

Compliance Frameworks

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.3.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0
  • CIS Kubernetes Benchmark v1.20
  • CIS Kubernetes Benchmark v1.23
  • CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.1.0
  • CIS OpenShift Container Platform v4 Benchmark v1.1.0
  • CIS OpenShift Container Platform v4 Benchmark v1.4.0
  • OpenShift Container Platform v3