CNTR-K8-001160 - Secrets in Kubernetes must not be stored as environment variables.

Information

Secrets, such as passwords, keys, tokens, and certificates should not be stored as environment variables. These environment variables are accessible inside Kubernetes by the 'Get Pod' API call, and by any system, such as CI/CD pipeline, which has access to the definition file of the container. Secrets must be mounted from files or stored within password vaults.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Any secrets stored as environment variables must be moved to the secret files with the proper protections and enforcements or placed within a password vault.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V1R5_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(c), CAT|I, CCI|CCI-000196, Rule-ID|SV-242415r712601_rule, STIG-ID|CNTR-K8-001160, Vuln-ID|V-242415

Plugin: Unix

Control ID: 1150a09fdbe013f3bccdb964092c97b00cc93ed432c2729f6c20e7e694bb75fb