UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Secrets in Kubernetes must not be stored as environment variables.


Overview

Finding ID Version Rule ID IA Controls Severity
V-242415 CNTR-K8-001160 SV-242415r879608_rule High
Description
Secrets, such as passwords, keys, tokens, and certificates should not be stored as environment variables. These environment variables are accessible inside Kubernetes by the "Get Pod" API call, and by any system, such as CI/CD pipeline, which has access to the definition file of the container. Secrets must be mounted from files or stored within password vaults.
STIG Date
Kubernetes Security Technical Implementation Guide 2023-02-27

Details

Check Text ( C-45690r863838_chk )
On the Kubernetes Control Plane, run the following command:
kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A

If any of the values returned reference environment variables, this is a finding.
Fix Text (F-45648r712600_fix)
Any secrets stored as environment variables must be moved to the secret files with the proper protections and enforcements or placed within a password vault.