KubernetesOverview
Kubernetes supports mounting secrets as data volumes or as environment variables. Minimize the use of environment variable secrets.
Rationale
It is reasonably common for application code to log out its environment (particularly in the event of an error). This will include any secret values passed in as environment variables, so secrets can easily be exposed to any user or entity who has access to the logs.
Impact
Application code which expects to read secrets in the form of environment variables would need modification.
Remediation guidance
If possible, rewrite application code to read secrets from mounted secret files, rather than from environment variables.
Run the following command to find references to objects which use environment variables defined from secrets.
kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {""}{end}' -A
References
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Kubernetes
Use admission policies, baseline cluster configuration, GitOps templates, and namespace or workload guardrails so new deployments follow the control by default.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Check if CronJobs templates have secrets in environment variables
Connectors
Covered asset types
Expected check: eq []
{
cronJobs(
where: {
podTemplate: {
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
}
) {
...AssetFragment
}
}
Check if Jobs templates have secrets in environment variables
Connectors
Covered asset types
Expected check: eq []
{
jobs(
where: {
cronJobName: ""
podTemplate: {
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
}
) {
...AssetFragment
}
}
Check if DaemonSets templates have secrets in environment variables
Connectors
Covered asset types
Expected check: eq []
{
daemonSets(
where: {
podTemplate: {
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
}
) {
...AssetFragment
}
}
Check if Deployments templates have secrets in environment variables
Connectors
Covered asset types
Expected check: eq []
{
deployments(
where: {
podTemplate: {
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
}
) {
...AssetFragment
}
}
Check if ReplicaSets templates have secrets in environment variables
Connectors
Covered asset types
Expected check: eq []
{
replicaSets(
where: {
deploymentName: ""
podTemplate: {
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
}
) {
...AssetFragment
}
}
Check if StatefulSets templates have secrets in environment variables
Connectors
Covered asset types
Expected check: eq []
{
statefulSets(
where: {
podTemplate: {
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
}
) {
...AssetFragment
}
}
