Exposure of Kubernetes secrets via insecure secretKeyRef usage #1245
Description
Describe the bug
We observed that your manifest exposes Kubernetes secrets directly in environment variable declarations or volume mounts using secretKeyRef and secret fields without proper restrictions. This practice is considered insecure and may lead to unintentional leakage of sensitive data such as credentials or API tokens.
We provide supporting evidence from https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-12/gain-environment-information-in-kubernetes-cluster
which highlights insecure secret management as a common misconfiguration leading to Credential Access vulnerabilities.
This pattern makes secrets easily accessible to any process running within the container, and does not provide mechanisms like auditing, expiration, or access controls beyond basic RBAC. If multiple containers share a pod, any of them can access the same environment variables or mounted secret volumes.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Secrets should be stored securely, injected on-demand, and rotated regularly. Only explicitly authorized containers should be able to access secrets, with strict privilege separation enforced.
Additional context
Add any other context about the problem here.
Version
Please tell us about the version you encountered the issue with
Logs
Please paste any relevant logs here