Environment Variable Contains Secret
No violationsstackroxhighdeployAlert on deployments with environment variables that contain 'SECRET'
- Rationale
- Using secrets in environment variables may allow inspection into your secrets from the host or even through the orchestrator UI.
- Remediation
- Migrate your secrets from environment variables to orchestrator secrets or your security team's secret management solution.
CategoriesSecurity Best Practices
Compliance mappingsView coverage →
- CIS Kubernetes Benchmark v1.8
- 5.4.1
- DORA EU 2022/2554
- Art. 9.2
- ISO/IEC 27001 2022
- A.8.9
- NIST SP 800-53 rev. 5
- CM-2
- PCI DSS 4.0
- 2.2.1
Generated artifacts
3 of 5 targets supportedenvironment-variable-contains-secret.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: environment-variable-contains-secret
annotations:
policies.kyverno.io/title: Environment Variable Contains Secret
policies.kyverno.io/category: Security Best Practices
policies.kyverno.io/severity: high
policies.kyverno.io/description: Alert on deployments with environment variables that contain 'SECRET'
policies.kyverno.io/remediation: Migrate your secrets from environment variables to orchestrator secrets or your security team's secret management solution.
policies.kyverno.io/rationale: Using secrets in environment variables may allow inspection into your secrets from the host or even through the orchestrator UI.
policies.io/source: stackrox
policies.io/source-id: f4996314-c3d7-4553-803b-b24ce7febe48
spec:
validationFailureAction: Enforce
background: true
rules:
- name: environment-variable-contains-secret
match:
any:
- resources:
kinds:
- Pod
validate:
message: "Policy \"Environment Variable Contains Secret\" violated: Alert on deployments with environment variables that contain 'SECRET'"
deny:
conditions:
all:
- key: "{{ request.object.spec.containers[].env[].name || `[]` }}"
operator: AnyIn
value:
- RAW
exclude:
any:
- resources:
namespaces:
- openshift-storage
- resources:
namespaces:
- openshift-storage
- resources:
namespaces:
- openshift-storage
- resources:
namespaces:
- openshift-ocm-agent-operator
- resources:
namespaces:
- openshift-ingress
- resources:
namespaces:
- openshift-image-registry
- resources:
namespaces:
- openshift-user-workload-monitoring
- resources:
namespaces:
- open-cluster-management
- resources:
namespaces:
- multicluster-engine
IR (canonical)
{
"id": "f4996314-c3d7-4553-803b-b24ce7febe48",
"name": "Environment Variable Contains Secret",
"description": "Alert on deployments with environment variables that contain 'SECRET'",
"rationale": "Using secrets in environment variables may allow inspection into your secrets from the host or even through the orchestrator UI.",
"remediation": "Migrate your secrets from environment variables to orchestrator secrets or your security team's secret management solution.",
"severity": "high",
"categories": [
"Security Best Practices"
],
"lifecycle": [
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [
{
"name": "noobaa-core",
"namespace": "openshift-storage"
},
{
"name": "noobaa-endpoint",
"namespace": "openshift-storage"
},
{
"name": "ocs-operator",
"namespace": "openshift-storage"
},
{
"name": "ocm-agent",
"namespace": "openshift-ocm-agent-operator"
},
{
"name": "router-default",
"namespace": "openshift-ingress"
},
{
"name": "image-registry",
"namespace": "openshift-image-registry"
},
{
"name": "thanos-ruler-user-workload",
"namespace": "openshift-user-workload-monitoring"
},
{
"name": "klusterlet-addon-controller-v2",
"namespace": "open-cluster-management"
},
{
"name": "managedcluster-import-controller-v2",
"namespace": "multicluster-engine"
}
],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "environment-variable",
"values": [
"RAW=.*SECRET.*|.*PASSWORD.*="
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "f4996314-c3d7-4553-803b-b24ce7febe48",
"name": "Environment Variable Contains Secret",
"description": "Alert on deployments with environment variables that contain 'SECRET'",
"rationale": "Using secrets in environment variables may allow inspection into your secrets from the host or even through the orchestrator UI.",
"remediation": "Migrate your secrets from environment variables to orchestrator secrets or your security team's secret management solution.",
"disabled": false,
"categories": [
"Security Best Practices"
],
"lifecycleStages": [
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [
{
"name": "Don't alert on deployment noobaa-core in namespace openshift-storage",
"deployment": {
"name": "noobaa-core",
"scope": {
"cluster": "",
"namespace": "openshift-storage",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment noobaa-endpoint in namespace openshift-storage",
"deployment": {
"name": "noobaa-endpoint",
"scope": {
"cluster": "",
"namespace": "openshift-storage",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment ocs-operator in namespace openshift-storage",
"deployment": {
"name": "ocs-operator",
"scope": {
"cluster": "",
"namespace": "openshift-storage",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment ocm-agent in openshift-ocm-agent-operator namespace",
"deployment": {
"name": "ocm-agent",
"scope": {
"cluster": "",
"namespace": "openshift-ocm-agent-operator",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on router-default in openshift-ingress namespace",
"deployment": {
"name": "router-default",
"scope": {
"cluster": "",
"namespace": "openshift-ingress",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on image-registry in openshift-image-registry namespace",
"deployment": {
"name": "image-registry",
"scope": {
"cluster": "",
"namespace": "openshift-image-registry",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on thanos-ruler-user-workload in openshift-user-workload-monitoring namespace",
"deployment": {
"name": "thanos-ruler-user-workload",
"scope": {
"cluster": "",
"namespace": "openshift-user-workload-monitoring",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on klusterlet-addon-controller-v2 in namespace open-cluster-management",
"deployment": {
"name": "klusterlet-addon-controller-v2",
"scope": {
"cluster": "",
"namespace": "open-cluster-management",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on managedcluster-import-controller-v2 in namespace multicluster-engine",
"deployment": {
"name": "managedcluster-import-controller-v2",
"scope": {
"cluster": "",
"namespace": "multicluster-engine",
"label": null
}
},
"image": null
}
],
"scope": [],
"severity": "HIGH_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Environment Variable",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "RAW=.*SECRET.*|.*PASSWORD.*="
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}