Prefer using secrets as files over secrets as environment variables

Overview

Kubernetes supports mounting secrets as data volumes or as environment variables. Minimize the use of environment variable secrets.

Rationale

It is reasonably common for application code to log out its environment (particularly in the event of an error). This will include any secret values passed in as environment variables, so secrets can easily be exposed to any user or entity who has access to the logs.

Impact

Application code which expects to read secrets in the form of environment variables would need modification.

Remediation guidance

If possible, rewrite application code to read secrets from mounted secret files, rather than from environment variables.

Run the following command to find references to objects which use environment variables defined from secrets.

kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {""}{end}' -A

References

https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets

Multiple Remediation Paths

SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.

ASSET-LEVEL: Fix only the affected resources identified by this control.

PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.

References for Service-Wide Patterns

Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.

Query logic

These are the stored checks tied to this control.

Check if CronJobs templates have secrets in environment variables

Connectors

Kubernetes

Covered asset types

CronJob

Expected check: eq []

{
  cronJobs(
    where: {
      podTemplate: {
        containersTemplates_SOME: {
          env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
        }
      }
    }
  ) {
    ...AssetFragment
  }
}

Check if Jobs templates have secrets in environment variables

Connectors

Kubernetes

Covered asset types

Job

Expected check: eq []

{
  jobs(
    where: {
      cronJobName: ""
      podTemplate: {
        containersTemplates_SOME: {
          env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
        }
      }
    }
  ) {
    ...AssetFragment
  }
}

Check if DaemonSets templates have secrets in environment variables

Connectors

Kubernetes

Covered asset types

DaemonSet

Expected check: eq []

{
  daemonSets(
    where: {      
      podTemplate: {
        containersTemplates_SOME: {
          env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
        }
      }
    }
  ) {
    ...AssetFragment
  }
}

Check if Deployments templates have secrets in environment variables

Connectors

Kubernetes

Covered asset types

Deployment

Expected check: eq []

{
  deployments(
    where: {      
      podTemplate: {
        containersTemplates_SOME: {
          env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
        }
      }
    }
  ) {
    ...AssetFragment
  }
}

Check if ReplicaSets templates have secrets in environment variables

Connectors

Kubernetes

Covered asset types

ReplicaSet

Expected check: eq []

{
  replicaSets(
    where: { 
      deploymentName: ""     
      podTemplate: {
        containersTemplates_SOME: {
          env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
        }
      }
    }
  ) {
    ...AssetFragment
  }
}

Check if StatefulSets templates have secrets in environment variables

Connectors

Kubernetes

Covered asset types

StatefulSet

Expected check: eq []

{
  statefulSets(
    where: {       
      podTemplate: {
        containersTemplates_SOME: {
          env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
        }
      }
    }
  ) {
    ...AssetFragment
  }
}

Prefer using secrets as files over secrets as environment variables

Overview

Remediation guidance

Multiple Remediation Paths

References for Service-Wide Patterns

Query logic

Platform

Use Cases

Industries

Compare

Resources

Company