You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Enhancement (What you would like to be added):
Kubernetes secrets should not be stored as environment variables. Currently storageAPIEndpoint is used as an env variable in the backup-restore container of etcd-mainref.
Motivation (Why is this needed?):
Gardener aims to comply with DISA K8s STIGs. This issue is in sync with rule 242415.
Approach/Hint to the implement solution (optional):
Specifically for the case of storageAPIEndpoint it can be stored in a ConfigMap, since it is not sensitive information. If it needs to stay in the etcd-backup secret It can be read from a mounted file. The secret is already mounted in backup-restore for the use of serviceaccount.jsonref.
For other cases a similar approach can be used or if possible a case specific one.
The text was updated successfully, but these errors were encountered:
Enhancement (What you would like to be added):
Kubernetes secrets should not be stored as environment variables. Currently
storageAPIEndpoint
is used as an env variable in thebackup-restore
container ofetcd-main
ref.Motivation (Why is this needed?):
Gardener aims to comply with DISA K8s STIGs. This issue is in sync with rule 242415.
Approach/Hint to the implement solution (optional):
Specifically for the case of
storageAPIEndpoint
it can be stored in aConfigMap
, since it is not sensitive information. If it needs to stay in theetcd-backup
secret It can be read from a mounted file. The secret is already mounted inbackup-restore
for the use ofserviceaccount.json
ref.For other cases a similar approach can be used or if possible a case specific one.
The text was updated successfully, but these errors were encountered: