Checkov: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"

[padmankosalaram]

Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"

FAILED for resource: Job.mas-inst1-pipelines.mas-deploy-job
File: /chart/deploy-mas/mas-deploy/templates/01-deploy-mas.yaml:95-327

Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33

[padmankosalaram]

This issue can not be fixed. Please find below the reason.

The helm chart accepts 2 secret variables ( entitlement_key & authorized_entitlement ) from terraform found in this line

terraform-ibm-mas/chart/deploy-mas/templates/01-deploy-mas.yaml

Line 24 in 6ed2eda

entitlement_key: {{ .Values.mas_entitlement_key }}

These secrets are important for installing MAS. Also their values are already base64 encode in terraform and passed to helm chart. Helm chart will store them as k8s secret and further inject into POD

Hence it is important to have the secret as environment variables in this line

terraform-ibm-mas/chart/deploy-mas/templates/01-deploy-mas.yaml

Line 24 in 6ed2eda

entitlement_key: {{ .Values.mas_entitlement_key }}

terraform-ibm-mas/chart/deploy-mas/templates/01-deploy-mas.yaml

Line 257 in 6ed2eda

- name: ENTITLEMENT_KEY

terraform-ibm-mas/chart/deploy-mas/templates/01-deploy-mas.yaml

Line 263 in 6ed2eda

- name: AUTHORIZED_ENTITLEMENT