Why is not safe to use confidential data in the containers environment variables?

HA_CloudHSM_GENERAL.d3afe775dd4d52fa4dc3a9bae5fa92f739b8565e

Remember that containers are just a “process”. Then, it means that the values of the environment variables can be found in the virtual-filesystem /proc for users which maybe should not have access to it. Following an example to illustrate this idea.

NOTE: If, the above info is not clear enough I’d recommend you check the blog post Understanding containers in 15 minutes

Example

Let’s imagine create a Kubernetes Pod resource where the secret values with the USERNAME and PASSWORD will be informed as ENV VARIABLE like follows.

...
    env:
      - name: USERNAME
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: username
      - name: PASSWORD
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: password
...

Then, the values used to create the ENV VARIABLES can be found by doing the below steps in a Linux SO.

# get the CONTAINER ID of this pod
$ docker ps | grep <pod-name>

# check the process of this container
$ docker top <CONTAINER ID>

# check the env values by using the PID
$ sudo cat /proc/<PID>/environ

CONCLUSION: Unless the environment variables of your containers are encrypted, these values will not be safe since they could be checked as described above.

NOTE: Also, feel free to check related post by searching for the Kubernetes and Docker tag in this website.

Sponsored by:

Logo-horizontalCP Logo Big - vertical invert (1)

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s