Back to all scenarios
Scenario #232
Security
K8s v1.21, On-Premise

Cluster Secrets Exposed Due to Insecure Mounting

Kubernetes secrets were mounted into pods insecurely, exposing sensitive information to unauthorized users.

Find this helpful?
What Happened

Secrets were mounted directly into the filesystem of pods, making them accessible to anyone with access to the pod's filesystem, including attackers who compromised the pod.

Diagnosis Steps
  • 1Inspected pod configurations and found that secrets were mounted in plain text into the pod’s filesystem.
  • 2Verified that no access control policies were in place for secret access.
Root Cause

Secrets were mounted without sufficient access control, allowing them to be exposed in the pod filesystem.

Fix/Workaround
• Moved secrets to Kubernetes Secrets and mounted them using environment variables instead of directly into the filesystem.
• Restricted access to secrets using RBAC and implemented encryption for sensitive data.
Lessons Learned

Always use Kubernetes Secrets for sensitive information and ensure proper access control.

How to Avoid
  • 1Mount secrets as environment variables rather than directly into the filesystem.
  • 2Use encryption and access controls to limit exposure of sensitive data.
Previous ScenarioNext Scenario