Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Enhancement] Do not store Kubernetes secrets as environment variables #727

Open
AleksandarSavchev opened this issue Apr 16, 2024 · 0 comments
Open

[Enhancement] Do not store Kubernetes secrets as environment variables #727

AleksandarSavchev opened this issue Apr 16, 2024 · 0 comments
Assignees
@shreyas-s-rao
Labels
kind/enhancement Enhancement, improvement, extension
Milestone
v0.30.0

Comments

@AleksandarSavchev
Copy link
Contributor

Enhancement (What you would like to be added):
Kubernetes secrets should not be stored as environment variables. Currently storageAPIEndpoint is used as an env variable in the backup-restore container of etcd-main ref.

Motivation (Why is this needed?):
Gardener aims to comply with DISA K8s STIGs. This issue is in sync with rule 242415.

Approach/Hint to the implement solution (optional):
Specifically for the case of storageAPIEndpoint it can be stored in a ConfigMap, since it is not sensitive information. If it needs to stay in the etcd-backup secret It can be read from a mounted file. The secret is already mounted in backup-restore for the use of serviceaccount.json ref.

For other cases a similar approach can be used or if possible a case specific one.
@AleksandarSavchev AleksandarSavchev added the kind/enhancement Enhancement, improvement, extension label Apr 16, 2024
@shreyas-s-rao shreyas-s-rao added this to the v0.30.0 milestone Apr 20, 2024
@shreyas-s-rao shreyas-s-rao self-assigned this Apr 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shreyas-s-rao shreyas-s-rao

Labels
kind/enhancement Enhancement, improvement, extension
Projects
None yet
Milestone
v0.30.0
Development

No branches or pull requests
2 participants
@shreyas-s-rao @AleksandarSavchev