[Question] Clarification regarding secret visibility in container

[Moortiii]

Question

The FAQ section states the following:

Can I prevent env-injected secrets from being listed in /proc/[pid]/environ inside the container?

Yes. Follow Docker Container best-practices and don't run your container as root: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user

I've created an image that runs its workloads as a non-root user with little to no privileges, as recommended by Docker.

However, using the command cat /proc/1/environ | xargs -0 -L1 | sort, I am still able to read the injected secrets from the environment.

Am I doing something wrong, or does the FAQ need to be updated?

Steps to reproduce

1. Create a file named manifests.yaml with the following contents to create a minimally reproducible example:

---
apiVersion: v1
kind: Namespace
metadata:
  labels:
    azure-key-vault-env-injection: enabled
  name: example-app
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: example-deployment
  namespace: example-app
  labels:
    app: example-deployment
spec:
  selector:
    matchLabels:
      app: example-deployment
  template:
    metadata:
      labels:
        app: example-deployment
    spec:
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 2000
      containers:
      - name: example-deployment
        image: python:3.12
        securityContext:
          allowPrivilegeEscalation: false
        command: ["sleep", "10000"]
        env:
          - name: EXAMPLE_SECRET
            value: example-secret@azurekeyvault
---
apiVersion: spv.no/v2beta1
kind: AzureKeyVaultSecret
metadata:
  namespace: example-app
  name: example-secret
spec:
  vault:
    name: example-vault
    object:
      name: example-secret
      type: secret

This assumes that you have a key vault named example-vault with a secret named example-secret. It also assumes that the Managed Identity running in the cluster has read access to secrets in your key vault.

2. Apply your manifests using kubectl apply -f manifests.yaml
3. Get a shell on your pod, e.g. using k9s.
4. Run the command cat /proc/1/environ | xargs -0 -L1 | sort | grep -i "example_secret"

Expected output:

I have no name!@example-deployment-6bc6b4d5dc-xpkwh:/$ cat /proc/1/environ | xargs -0 -L1 | sort | grep -i "example_secret"
EXAMPLE_SECRET=example-secret@azurekeyvault

Actual output:

I have no name!@example-deployment-6bc6b4d5dc-xpkwh:/$ cat /proc/1/environ | xargs -0 -L1 | sort | grep -i "example_secret"
EXAMPLE_SECRET=this-is-a-secret