Profile Applicability:
Level 1
Description:
Kubernetes supports the use of Secrets either as environment variables or as files mounted inside containers. This check ensures that secrets are mounted as files, rather than being passed as environment variables, to improve security by reducing the risk of accidental exposure in logs, process listings, and other system outputs.
Rationale:
Exposing secrets as environment variables can increase the risk of unintentional leakage, as they may appear in process listings, shell history, or logs. Mounting secrets as files provides a more secure way to handle sensitive information, as the secrets are only available to the container and are less likely to be exposed accidentally.
Impact:
Pros:
Improves security by limiting the exposure of secrets.
Secrets are handled as files, which reduces the chances of them being leaked in logs or system outputs.
Helps in better separation of concerns by treating secrets like any other file the application needs.
Cons:
Requires additional configuration to mount secrets as files.
May require changes in application code to read secrets from files instead of environment variables.
Default Value:
By default, Kubernetes allows secrets to be used as environment variables, which is simpler but less secure than using them as files.
Pre-requisites:
Ensure that Kubernetes Secrets are properly created, and that your application is capable of reading secrets from files mounted inside containers.
Test Plan:
Using Azure Console:
Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.
Review the Pod configurations and verify that secrets are being mounted as files, rather than set as environment variables.
Ensure that the volume mounts for secrets are properly defined in the Pod specifications.
Using Azure CLI:
List all pods and check how secrets are used by running the following command:
kubectl get pods --all-namespaces -o=jsonpath='{.items[*].spec.volumes[*].secret.secretName}'Verify that the secrets are mounted as volumes in the Pod specifications, not passed as environment variables.
Check the environment variables for any use of secrets by running:
kubectl get pods <pod-name> -o=jsonpath='{.spec.containers[*].env[*].name}'Ensure that secrets are not being used in the environment variables list.
Implementation Plan:
Using Azure Console:
In the Azure portal, go to Kubernetes Services and access the Pod configurations.
Modify the Pod specification to mount secrets as files instead of passing them as environment variables. Here is an example of how to configure secrets as files:
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
- name: my-container
image: my-image
volumeMounts:
- name: my-secret-volume
mountPath: /etc/secrets
readOnly: true
volumes:
- name: my-secret-volume
secret:
secretName: my-secretEnsure that your application is modified to read the secrets from the file /etc/secrets rather than from environment variables.
Using Azure CLI:
Create a new Pod specification with secrets mounted as files by adding the volumes and volumeMounts sections as shown in the example above.
Apply the configuration using the following command:
kubectl apply -f pod-spec.yaml
For existing deployments, update the deployment to mount secrets as files:
kubectl edit deployment <deployment-name> --namespace=<namespace-name> Add the volumeMounts and volumes for the secret inside the YAML.
Backout Plan:
Using Azure Console:
If mounting secrets as files causes issues, revert the configuration by switching back to using environment variables for secrets in the Azure portal.
Using Azure CLI:
Revert the configuration by editing the deployment or pod specification to use environment variables instead of files:
kubectl edit deployment <deployment-name> --namespace=<namespace-name>
Remove the volume mount and volume sections in the YAML file and use the envFrom or env to set the secrets as environment variables.