Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Use Secrets as Files Instead of Environment Variables

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)

Ensure that secrets are mounted as files, not environment variables in order to reduce the risk of unauthorized exposure and gain the benefit of automatic updates without requiring a pod restart.

Security

Kubernetes offers two methods for handling secrets: mounting them as data volumes (files) or injecting them as environment variables. Mounting secrets as files is the preferred method because environment variables can be easily exposed through simple debugging tools or system files. Also, mounted volume secrets can be updated dynamically by the cluster, meaning the application can access the new secret value without the overhead and downtime associated with restarting the entire pod.

Audit

To determine if the containers are permitted to operate with the "securityContext.privileged" flag set to true, perform the following operations:

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run ce cluster list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:

    oci ce cluster list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested OKE cluster IDs:

    [
	"ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.cluster.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run ce cluster create-kubeconfig command (Windows/macOS/Linux) with the ID of the OCI Kubernetes Engine (OKE) cluster that you want to access as the identifier parameter, to generate and configure the Kubernetes configuration file (kubeconfig) that the kubectl tool needs to securely communicate with and manage the selected OKE cluster:

    oci ce cluster create-kubeconfig
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--file $HOME/.kube/config
	--kube-endpoint PUBLIC_ENDPOINT
	--region 'ap-sydney-1'
	--token-version 2.0.0

  6. The command output should return the path to the new Kubeconfig file:

    New config written to the Kubeconfig file /home/user/.kube/config

  7. Run the kubectl get all command as shown in the example below to identify objects referencing secrets via environment variables:

    kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A

  8. The command output should return a list where each line represents a workload that is using a Kubernetes secret to define one or more environment variables within its containers:

    Deployment     user-auth-service     cc-web-dev
Deployment     billing-processor     cc-web-prod
StatefulSet    postgres-db           cc-data-tier

    If the command output returns one or more results, it indicates that the listed resources are actively using Kubernetes secrets to define one or more environment variables, which is not the recommended method for handling sensitive data.

Remediation / Resolution

To implement the Principle of Least Privilege (POLP), replace all uses of the wildcard (∗) in Roles and ClusterRoles with explicitly defined resources, verbs, and apiGroups. This will ensure that principals only possess the exact permissions necessary to perform their specific functions, thus preventing accidental or malicious privilege escalation.

References

Publication date Dec 11, 2025

Related OCI-OKE rules