Developers store secrets in the Kubernetes configuration files, such as environment variables in the pod configuration. Such behavior is commonly seen in clusters that are monitored by Azure Security Center. Attackers who have access to those configurations, by querying the API server or by accessing those files on the developer’s endpoint, can steal the stored secrets and use them.
Create a pod that has a sensitive environment variables configured:
apiVersion: v1
kind: Pod
metadata:
name: postgres-db-pod
spec:
containers:
- image: postgres
name: postgres-db-pod
env:
- name: POSTGRES_PASSWORD
value: "mysecretpassword"
With a configuration like this, everyone who can get the information about the pod can read the sensitive configuration set with the POSTGRES_PASSWORD
environment variable.
$ kubectl describe pod postgres-db-pod
Name: postgres-db-pod
Namespace: default
...
Containers:
postgres-db-pod:
Container ID: containerd://e8644ea896bde6b8bb7df5f778df4badfc00d4c1d2f0fa76d52877a4221b7663
Image: postgres
...
Environment:
POSTGRES_PASSWORD: mysecretpassword
...
Using Kubernetes secrets instead (you can still make them avaulable as environment variables in the pod) this specific attack technique/scenario is mitigated.