Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-9908

SAST: Provide access to secrets via volume mounts instead of setting `valueFrom.secretKeyRef` in `env`

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • rhos-18.0.3
    • None
    • octavia-operator
    • None
    • 2
    • False
    • Hide

      None

      Show
      None
    • False
    • ?
    • ?
    • octavia-operator-container-1.0.4-4
    • ?
    • ?
    • None
    • Important

      SAST reports:

      Error: SIGMA.container_storing_secret_in_environment_variable (CWE-526):
unpacked_remote_sources/app/tests/kuttl/common/assert_sample_deployment.yaml:159: Sigma main event: The Kubernetes container stores secrets in environment variables, which could be leaked if the environment is logged.
unpacked_remote_sources/app/tests/kuttl/common/assert_sample_deployment.yaml:159: remediation: Provide access to secrets via volume mounts instead of setting `valueFrom.secretKeyRef` in `env`.

      https://github.com/openstack-k8s-operators/octavia-operator/blob/main/tests/kuttl/common/assert_sample_deployment.yaml#L156-L165

      https://github.com/openstack-k8s-operators/octavia-operator/blob/03a1f12267a19712af1f276a30cc8bfdce41c444/pkg/octavia/initcontainer.go#L56-L64

      secrets should not be passed in env vars

              rhn-support-gthiemon Gregory Thiemonge
              rhn-support-gthiemon Gregory Thiemonge
              rhos-dfg-networking-squad-vans
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: