Lateral movement

Controller creating containers with secrets as environment variables

Risk Level

Informational (4)

  • N/A

Compliance Frameworks


Kubernetes supports mounting secrets as data volumes or as environment variables. It is reasonably common for application code to log out its environment (particularly in the event of an error). This will include any secret values passed in as environment variables, so secrets can easily be exposed to any user or entity who has access to the logs. Orca has detected that the controller {K8sController} creates containers that use secrets mounted as environment variables.
  • Recommended Mitigation

    Rewrite application code to read secrets from mounted secret files, rather than from environment variables, and change the mounting method of the secret.