5.4.1 Prefer using secrets as files over secrets as environment variables

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


Kubernetes supports mounting secrets as data volumes or as environment variables. Minimize the use of environment variable secrets.


It is reasonably common for application code to log out its environment (particularly in the event of an error). This will include any secret values passed in as environment variables, so secrets can easily be exposed to any user or entity who has access to the logs.


Application code which expects to read secrets in the form of environment variables would need modification

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


If possible, rewrite application code to read secrets from mounted secret files, rather than from environment variables.

Default Value:

By default, application secrets are not defined.

In a default OpenShift 4 cluster, the following platform objects are returned

Pod aws-ebs-csi-driver-controller-699844b6d7-2pl8k

Pod aws-ebs-csi-driver-controller-6dcc794464-gnl6l

Pod aws-ebs-csi-driver-controller-6dcc794464-kkhr9

Deployment aws-ebs-csi-driver-controller

Deployment aws-ebs-csi-driver-controller

ReplicaSet aws-ebs-csi-driver-controller-699844b6d7

ReplicaSet aws-ebs-csi-driver-controller-777d8fbb87

ReplicaSet aws-ebs-csi-driver-controller-658754b8c8

ReplicaSet aws-ebs-csi-driver-controller-6dcc794464

See Also