Back to all scenarios
Scenario #224
Security
K8s v1.21, AWS EKS

Exposing Sensitive Secrets in Environment Variables

Sensitive credentials were stored in environment variables within the pod specification, exposing them to potential attackers.

Find this helpful?
What Happened

Sensitive data such as database passwords and API keys were stored as environment variables in plain text within Kubernetes pod specifications, making them accessible to anyone who had access to the pod's configuration.

Diagnosis Steps
  • 1Examined the pod specification files and found that sensitive credentials were stored as environment variables in plaintext.
  • 2Verified that no secrets management solution like Kubernetes Secrets was being used to handle sensitive data.
Root Cause

Sensitive data was stored insecurely in environment variables rather than using Kubernetes Secrets or an external secrets management solution.

Fix/Workaround
• Moved sensitive data to Kubernetes Secrets and updated the pod configurations to reference the secrets.
• Ensured that secrets were encrypted and only accessible by the relevant services.
Lessons Learned

Always store sensitive data securely using Kubernetes Secrets or an external secrets management solution, and avoid embedding it in plain text.

How to Avoid
  • 1Use Kubernetes Secrets to store sensitive data and reference them in your deployments.
  • 2Regularly audit your configuration files to ensure sensitive data is not exposed in plaintext.
Previous ScenarioNext Scenario