Enhancement (What you would like to be added):
Kubernetes secrets should not be stored as environment variables. Currently storageAPIEndpoint is used as an env variable in the backup-restore container of etcd-mainref.
Motivation (Why is this needed?):
Gardener aims to comply with DISA K8s STIGs. This issue is in sync with rule 242415.
Approach/Hint to the implement solution (optional):
Specifically for the case of storageAPIEndpoint it can be stored in a ConfigMap, since it is not sensitive information. If it needs to stay in the etcd-backup secret It can be read from a mounted file. The secret is already mounted in backup-restore for the use of serviceaccount.jsonref.
For other cases a similar approach can be used or if possible a case specific one.
Enhancement (What you would like to be added): Kubernetes secrets should not be stored as environment variables. Currently
storageAPIEndpointis used as an env variable in thebackup-restorecontainer ofetcd-mainref.Motivation (Why is this needed?): Gardener aims to comply with DISA K8s STIGs. This issue is in sync with rule 242415.
Approach/Hint to the implement solution (optional): Specifically for the case of
storageAPIEndpointit can be stored in aConfigMap, since it is not sensitive information. If it needs to stay in theetcd-backupsecret It can be read from a mounted file. The secret is already mounted inbackup-restorefor the use ofserviceaccount.jsonref.For other cases a similar approach can be used or if possible a case specific one.