# Kubernetes secret exposed in environment variable via pod spec due to missing encoding or escaping

- **ID:** `security/kubernetes-secret-exposed-in-environment-variable-via-pod-spec`
- **Domain:** security
- **Category:** config_error
- **Verification:** ai_generated
- **Fix Rate:** 89%

## Root Cause

A Kubernetes secret value containing special characters (e.g., $, \, newlines) is injected into an environment variable in the pod spec without proper encoding or escaping, causing the value to be interpreted incorrectly by the shell or application, potentially leaking the secret in logs or error messages.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| Kubernetes 1.29.0 | active | — | — |
| kubectl 1.29.0 | active | — | — |
| Helm 3.14.0 | active | — | — |
| Docker 25.0.0 | active | — | — |

## Workarounds

1. **Use the `env` field in the pod spec with `valueFrom` and `secretKeyRef` to inject secrets directly, avoiding shell interpretation. Example: `env:
- name: DB_PASSWORD
  valueFrom:
    secretKeyRef:
      name: db-secret
      key: password`. This ensures the value is passed as-is without shell escaping.** (95% success)
   ```
   Use the `env` field in the pod spec with `valueFrom` and `secretKeyRef` to inject secrets directly, avoiding shell interpretation. Example: `env:
- name: DB_PASSWORD
  valueFrom:
    secretKeyRef:
      name: db-secret
      key: password`. This ensures the value is passed as-is without shell escaping.
   ```
2. **If using Helm, ensure the secret value is quoted in the template to prevent YAML parsing issues. Use `{{ .Values.secret.password | quote }}` to add quotes, and escape special characters in the values file with backslashes. For example, a password with $ should be `password: "pa\$sword"`.** (88% success)
   ```
   If using Helm, ensure the secret value is quoted in the template to prevent YAML parsing issues. Use `{{ .Values.secret.password | quote }}` to add quotes, and escape special characters in the values file with backslashes. For example, a password with $ should be `password: "pa\$sword"`.
   ```
3. **Use a dedicated secrets management tool like HashiCorp Vault with the Vault Agent Injector to inject secrets as files or environment variables without exposing them in the pod spec. Example annotation: `vault.hashicorp.com/agent-inject: "true"` and `vault.hashicorp.com/agent-inject-secret-db-password: "secret/data/db"`.** (85% success)
   ```
   Use a dedicated secrets management tool like HashiCorp Vault with the Vault Agent Injector to inject secrets as files or environment variables without exposing them in the pod spec. Example annotation: `vault.hashicorp.com/agent-inject: "true"` and `vault.hashicorp.com/agent-inject-secret-db-password: "secret/data/db"`.
   ```

## Dead Ends

- **Use a ConfigMap instead of a Secret for the environment variable** — ConfigMaps are not designed for sensitive data and store values in plain text. This actually increases the risk of exposure. (90% fail)
- **Encode the secret value in base64 and decode it in the application** — Base64 is not encryption; it can be easily decoded by anyone with access to the pod spec or logs. This provides no real security. (70% fail)
- **Remove special characters from the secret value** — This may break the application if the secret requires those characters (e.g., a password with $). It is not a general solution. (50% fail)