Back to catalog

Secret Mounted as Environment Variable

No violationsstackroxhighdeploy

Alert on deployments with Kubernetes secret mounted as environment variable

Rationale
Using secrets in environment variables may allow inspection into your secrets from the host.
Remediation
Migrate your secrets from environment variables to your security team's secret management solution.
CategoriesSecurity Best Practices
Compliance mappingsView coverage →
CIS Kubernetes Benchmark v1.8
5.4.1
DORA EU 2022/2554
Art. 9.2
ISO/IEC 27001 2022
A.8.9
NIST SP 800-53 rev. 5
CM-2
PCI DSS 4.0
2.2.1

Generated artifacts

3 of 5 targets supported
secret-mounted-as-environment-variable.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: secret-mounted-as-environment-variable
  annotations:
    policies.kyverno.io/title: Secret Mounted as Environment Variable
    policies.kyverno.io/category: Security Best Practices
    policies.kyverno.io/severity: high
    policies.kyverno.io/description: Alert on deployments with Kubernetes secret mounted as environment variable
    policies.kyverno.io/remediation: Migrate your secrets from environment variables to your security team's secret management solution.
    policies.kyverno.io/rationale: Using secrets in environment variables may allow inspection into your secrets from the host.
    policies.io/source: stackrox
    policies.io/source-id: a788556c-9268-4f30-a114-d456f2380818
spec:
  validationFailureAction: Enforce
  background: true
  rules:
    - name: secret-mounted-as-environment-variable
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: 'Policy "Secret Mounted as Environment Variable" violated: Alert on deployments with Kubernetes secret mounted as environment variable'
        deny:
          conditions:
            all:
              - key: "{{ request.object.spec.containers[].env[].name || `[]` }}"
                operator: AnyIn
                value:
                  - SECRET_KEY
IR (canonical)
{
  "id": "a788556c-9268-4f30-a114-d456f2380818",
  "name": "Secret Mounted as Environment Variable",
  "description": "Alert on deployments with Kubernetes secret mounted as environment variable",
  "rationale": "Using secrets in environment variables may allow inspection into your secrets from the host.",
  "remediation": "Migrate your secrets from environment variables to your security team's secret management solution.",
  "severity": "high",
  "categories": [
    "Security Best Practices"
  ],
  "lifecycle": [
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "environment-variable",
    "values": [
      "SECRET_KEY=="
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": true
}
Original StackRox JSON
{
  "id": "a788556c-9268-4f30-a114-d456f2380818",
  "name": "Secret Mounted as Environment Variable",
  "description": "Alert on deployments with Kubernetes secret mounted as environment variable",
  "rationale": "Using secrets in environment variables may allow inspection into your secrets from the host.",
  "remediation": "Migrate your secrets from environment variables to your security team's secret management solution.",
  "disabled": true,
  "categories": [
    "Security Best Practices"
  ],
  "lifecycleStages": [
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [],
  "scope": [],
  "severity": "HIGH_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Environment Variable",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "SECRET_KEY=="
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}