[Enhancement] Do not store Kubernetes secrets as environment variables #727
Labels
kind/enhancement
Enhancement, improvement, extension
status/closed
Issue is closed (either delivered or triaged)
Milestone
Enhancement (What you would like to be added):
Kubernetes secrets should not be stored as environment variables. Currently
storageAPIEndpoint
is used as an env variable in thebackup-restore
container ofetcd-main
ref.Motivation (Why is this needed?):
Gardener aims to comply with DISA K8s STIGs. This issue is in sync with rule 242415.
Approach/Hint to the implement solution (optional):
Specifically for the case of
storageAPIEndpoint
it can be stored in aConfigMap
, since it is not sensitive information. If it needs to stay in theetcd-backup
secret It can be read from a mounted file. The secret is already mounted inbackup-restore
for the use ofserviceaccount.json
ref.For other cases a similar approach can be used or if possible a case specific one.
The text was updated successfully, but these errors were encountered: