We are excited to announce an important security enhancement across our Bitnami Helm charts: Secrets are now mounted as volume files by default, in alignment with the CIS Kubernetes Benchmark.
This change is part of our ongoing security hardening efforts to ensure Bitnami charts follow modern Kubernetes security best practices out of the box.
What have we changed?
Previously, the Bitnami Helm charts used application secrets via environment variables using the secretKeyRef approach:
- name: APPNAME_PASSWORD
valueFrom:
secretKeyRef:
name: secret-name
key: secret-key
With this update, we’ve transitioned to using *_FILE environment variables that point to a secret volume containing the passwords.
- name: APPNAME_PASSWORD_FILE
value: "/opt/bitnami/appname/secrets/secret-key"
Secrets are now mounted as volumes at the referenced paths. Whenever supported, the applications are configured to use these paths instead of the environment variables.
In scenarios where applications do not natively support file-based secret consumption, Bitnami containers handle this by reading the secret file during initialization and loading the value before the application starts. This approach significantly reduces the risk of unintentional secret exposure. For example, if a Kubernetes node gets compromised, an attacker could retrieve the environment variables of all the running containers. By following this security best practice and aligning with the CIS benchmark, it becomes more difficult for the attackers to access container secrets.
If you prefer to continue using environment variables for your application secrets, this behavior can be reverted by setting usePasswordFiles=false in the chart values.
Improved Security Compliance
As a result of this change, along with other enhancements introduced as part of this initiative, our charts are now fully compliant with all relevant Kubernetes security frameworks.
For example, below is the Kubescape compliance score comparison for the Bitnami MariaDB Helm chart:
This new security best practice has been added to the list of existing ones already implemented for Helm charts and container images:
- Containers running without group root
- Immutable filesystem
- No pod is without a resource request or limit
- OpenShift restricted-v2 SCC support
You can find more information about these in the previous blog post. The commercial editions of Bitnami extended the focus on enterprise-grade security and compliance.
Bitnami Premium is especially useful for enterprises that require third-party open source software to comply with policies related to auditability, supply chain integrity, and time to remediate vulnerabilities.
Tanzu Application Catalog simplifies the process of meeting several FedRAMP requirements: FIPS support, STIG-compliant, and zero or minimal CVES with VEX statements.
For any questions or suggestions, contact https://github.com/bitnami/charts/issues.