polaris icon indicating copy to clipboard operation
polaris copied to clipboard

Published 20 hours ago verified publisher icon FairwindsOps

sensitiveContainerEnvVar flags a danger when using envFrom/secretRef and key/value

Open arthurzenika opened this issue 9 months ago • 2 comments

What happened?

Hi, thanks for polaris, it's an awesome tool and it helps us a lot on many use cases.

We think we might have an special case that is a false positive.

We are using envFrom with secretRef and then using a bunch of variables for secrets (as described in https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables ) and using env to rename and combine some variables :

---
apiVersion: apps/v1
kind: Deployment
[snip]
spec:
  template:
    spec:
      containers:
        - name: airflow-scheduler
[snip]
          envFrom:
            - secretRef:
                name: airflow-env
[snip]
          env:
            - name: AIRFLOW_VAR_GITLAB_PRIVATE_TOKEN
              value: $(GITLAB_PRIVATE_TOKEN)
            - name: AIRFLOW_VAR_PROMETHEUS_PASSWORD
              value: $(PROMETHEUS_PASSWORD)

and polaris detects the following :

    sensitiveContainerEnvVar             ❌ Danger
        Security - The container sets potentially sensitive environment variables

Which doesn't seem to be the case when a syntax like the following is used :

[snip]
          env:
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: postgres-airflow-secret
                  key: POSTGRES_PASSWORD
[snip]

What did you expect to happen?

For polaris to detect that a variable from a secret is being used and to consider this as safe.

How can we reproduce this?

If the snippet above is not sufficient to discuss this issue we can probably share a complete deployment/secret.

Version

7.3.2

Search

  • [X] I did search for other open and closed issues before opening this.

Code of Conduct

  • [X] I agree to follow this project's Code of Conduct

Additional context

No response

arthurzenika avatar May 14 '24 10:05 arthurzenika

workaround is using the following annotation :

  annotations:
    polaris.fairwinds.com/sensitiveContainerEnvVar-exempt: "true"

arthurzenika avatar May 14 '24 10:05 arthurzenika

I am pretty sure you don't need to repeat env vars that are pulled in via envFrom in the env section of the spec.

Polaris is picking up the words TOKEN and SECRET I believe. We're fairly limited in what we can check with JSON Schema for this.

Your workaround is probably best, or to disable that check entirely in your configuration

sudermanjr avatar May 14 '24 16:05 sudermanjr