Check: CNTR-K8-001160
Kubernetes STIG:
CNTR-K8-001160
(in versions v2 r2 through v1 r7)
Title
Secrets in Kubernetes must not be stored as environment variables. (Cat I impact)
Discussion
Secrets, such as passwords, keys, tokens, and certificates should not be stored as environment variables. These environment variables are accessible inside Kubernetes by the "Get Pod" API call, and by any system, such as CI/CD pipeline, which has access to the definition file of the container. Secrets must be mounted from files or stored within password vaults.
Check Content
On the Kubernetes Control Plane, run the following command: kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A If any of the values returned reference environment variables, this is a finding.
Fix Text
Any secrets stored as environment variables must be moved to the secret files with the proper protections and enforcements or placed within a password vault.
Additional Identifiers
Rule ID: SV-242415r1015300_rule
Vulnerability ID: V-242415
Group Title: SRG-APP-000171-CTR-000435
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000196 |
The information system, for password-based authentication, stores only cryptographically-protected passwords. |
CCI-004062 |
For password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash. |
Controls
Number | Title |
---|---|
IA-5(1) |
Password-based Authentication |