Kubernetes secret exposed in environment variable via pod spec due to missing encoding or escaping
ID: security/kubernetes-secret-exposed-in-environment-variable-via-pod-spec
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| Kubernetes 1.29.0 | active | — | — | — |
| kubectl 1.29.0 | active | — | — | — |
| Helm 3.14.0 | active | — | — | — |
| Docker 25.0.0 | active | — | — | — |
Root Cause
A Kubernetes secret value containing special characters (e.g., $, \, newlines) is injected into an environment variable in the pod spec without proper encoding or escaping, causing the value to be interpreted incorrectly by the shell or application, potentially leaking the secret in logs or error messages.
generic中文
Kubernetes 密钥值包含特殊字符(如 $、\、换行符),在 Pod 规范中注入到环境变量时未进行正确的编码或转义,导致 shell 或应用程序错误地解释该值,可能在日志或错误消息中泄露密钥。
Official Documentation
https://kubernetes.io/docs/concepts/configuration/secret/Workarounds
-
95% success Use the `env` field in the pod spec with `valueFrom` and `secretKeyRef` to inject secrets directly, avoiding shell interpretation. Example: `env: - name: DB_PASSWORD valueFrom: secretKeyRef: name: db-secret key: password`. This ensures the value is passed as-is without shell escaping.
Use the `env` field in the pod spec with `valueFrom` and `secretKeyRef` to inject secrets directly, avoiding shell interpretation. Example: `env: - name: DB_PASSWORD valueFrom: secretKeyRef: name: db-secret key: password`. This ensures the value is passed as-is without shell escaping. -
88% success If using Helm, ensure the secret value is quoted in the template to prevent YAML parsing issues. Use `{{ .Values.secret.password | quote }}` to add quotes, and escape special characters in the values file with backslashes. For example, a password with $ should be `password: "pa\$sword"`.
If using Helm, ensure the secret value is quoted in the template to prevent YAML parsing issues. Use `{{ .Values.secret.password | quote }}` to add quotes, and escape special characters in the values file with backslashes. For example, a password with $ should be `password: "pa\$sword"`. -
85% success Use a dedicated secrets management tool like HashiCorp Vault with the Vault Agent Injector to inject secrets as files or environment variables without exposing them in the pod spec. Example annotation: `vault.hashicorp.com/agent-inject: "true"` and `vault.hashicorp.com/agent-inject-secret-db-password: "secret/data/db"`.
Use a dedicated secrets management tool like HashiCorp Vault with the Vault Agent Injector to inject secrets as files or environment variables without exposing them in the pod spec. Example annotation: `vault.hashicorp.com/agent-inject: "true"` and `vault.hashicorp.com/agent-inject-secret-db-password: "secret/data/db"`.
中文步骤
在 Pod 规范中使用 `env` 字段和 `valueFrom` 及 `secretKeyRef` 直接注入密钥,避免 shell 解释。示例:`env: - name: DB_PASSWORD valueFrom: secretKeyRef: name: db-secret key: password`。这确保值按原样传递,无需 shell 转义。如果使用 Helm,确保在模板中对密钥值加引号以防止 YAML 解析问题。使用 `{{ .Values.secret.password | quote }}` 添加引号,并在 values 文件中使用反斜杠转义特殊字符。例如,包含 $ 的密码应为 `password: "pa\$sword"`。使用专门的密钥管理工具,如 HashiCorp Vault 和 Vault Agent Injector,将密钥作为文件或环境变量注入,而无需在 Pod 规范中暴露。示例注解:`vault.hashicorp.com/agent-inject: "true"` 和 `vault.hashicorp.com/agent-inject-secret-db-password: "secret/data/db"`。
Dead Ends
Common approaches that don't work:
-
Use a ConfigMap instead of a Secret for the environment variable
90% fail
ConfigMaps are not designed for sensitive data and store values in plain text. This actually increases the risk of exposure.
-
Encode the secret value in base64 and decode it in the application
70% fail
Base64 is not encryption; it can be easily decoded by anyone with access to the pod spec or logs. This provides no real security.
-
Remove special characters from the secret value
50% fail
This may break the application if the secret requires those characters (e.g., a password with $). It is not a general solution.