Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Enhancement] Do not store Kubernetes secrets as environment variables #727

Closed
AleksandarSavchev opened this issue Apr 16, 2024 · 0 comments · Fixed by #759 or gardener/etcd-druid#856
Assignees
Labels
kind/enhancement Enhancement, improvement, extension status/closed Issue is closed (either delivered or triaged)
Milestone

Comments

@AleksandarSavchev
Copy link
Member

Enhancement (What you would like to be added):
Kubernetes secrets should not be stored as environment variables. Currently storageAPIEndpoint is used as an env variable in the backup-restore container of etcd-main ref.

Motivation (Why is this needed?):
Gardener aims to comply with DISA K8s STIGs. This issue is in sync with rule 242415.

Approach/Hint to the implement solution (optional):
Specifically for the case of storageAPIEndpoint it can be stored in a ConfigMap, since it is not sensitive information. If it needs to stay in the etcd-backup secret It can be read from a mounted file. The secret is already mounted in backup-restore for the use of serviceaccount.json ref.

For other cases a similar approach can be used or if possible a case specific one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/enhancement Enhancement, improvement, extension status/closed Issue is closed (either delivered or triaged)
Projects
None yet
3 participants