Back to all scenarios
Scenario #216
Security
K8s v1.19, AWS EKS

Exposure of Sensitive Data in Container Environment Variables

Sensitive data, such as database credentials, was exposed through environment variables in container configurations.

Find this helpful?
What Happened

Sensitive environment variables containing credentials were directly included in Kubernetes deployment YAML files, making them visible to anyone with access to the deployment.

Diagnosis Steps
  • 1Examined the deployment manifests and discovered sensitive data in the environment variables section.
  • 2Used kubectl describe deployment and found that credentials were stored in plain text in the environment section of containers.
Root Cause

Storing sensitive data in plaintext environment variables exposed it to unauthorized users.

Fix/Workaround
• Moved sensitive data into Kubernetes Secrets instead of directly embedding them in environment variables.
• Updated the deployment YAML to reference the Secrets and applied the changes.
Lessons Learned

Sensitive data should always be stored securely in Kubernetes Secrets or external secret management systems.

How to Avoid
  • 1Use Kubernetes Secrets for storing sensitive data like passwords, API keys, and certificates.
  • 2Regularly audit configurations to ensure secrets are not exposed in plain text.
Previous ScenarioNext Scenario