From 4572811d6144f0348a952f9aeba151fd25fc11ad Mon Sep 17 00:00:00 2001 From: Jarek Potiuk Date: Mon, 1 Jul 2024 16:23:26 +0200 Subject: [PATCH] Add notes about passing secrets via environment variables --- .../operators.rst | 9 +++++++++ .../security/secrets/mask-sensitive-values.rst | 11 +++++++++++ 2 files changed, 20 insertions(+) diff --git a/docs/apache-airflow-providers-cncf-kubernetes/operators.rst b/docs/apache-airflow-providers-cncf-kubernetes/operators.rst index 80541f315c0d8..5d2f9aef6277a 100644 --- a/docs/apache-airflow-providers-cncf-kubernetes/operators.rst +++ b/docs/apache-airflow-providers-cncf-kubernetes/operators.rst @@ -278,6 +278,15 @@ Example: callbacks=MyCallback, ) +Passing secrets +^^^^^^^^^^^^^^^ + +Never use environment variables to pass secrets (for example connection authentication information) to +Kubernetes Pod Operator. Such environment variables will be visible to anyone who has access +to see and describe PODs in Kubernetes. Instead, pass your secrets via native Kubernetes ``Secrets`` or +use Connections and Variables from Airflow. For the latter, you need to have ``apache-airflow`` package +installed in your image in the same version as airflow you run your Kubernetes Pod Operator from). + Reference ^^^^^^^^^ For further information, look at: diff --git a/docs/apache-airflow/security/secrets/mask-sensitive-values.rst b/docs/apache-airflow/security/secrets/mask-sensitive-values.rst index 913fc124731ff..1c3974a3ff856 100644 --- a/docs/apache-airflow/security/secrets/mask-sensitive-values.rst +++ b/docs/apache-airflow/security/secrets/mask-sensitive-values.rst @@ -78,3 +78,14 @@ or ... The mask must be set before any log/output is produced to have any effect. + +NOT masking when using environment variables +"""""""""""""""""""""""""""""""""""""""""""" + +When you are using some operators - for example :class:`airflow.providers.cncf.kubernetes.operators.pod.KubernetesPodOperator`, +you might be tempted to pass secrets via environment variables. This is very bad practice because the environment +variables are visible to anyone who has access to see the environment of the process - such secrets passed by +environment variables will NOT be masked by Airflow. + +If you need to pass secrets to the KubernetesPodOperator, you should use native Kubernetes secrets or +use Airflow Connection or Variables to retrieve the secrets dynamically.