> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Read environment variable from proc files

### Event Information

#### Meaning

* The "Read environment variable from proc files" event in a Kubernetes cluster indicates that a process running within a container is attempting to read environment variables from the /proc filesystem.
* This event could potentially indicate a security concern, as reading environment variables from /proc can expose sensitive information such as passwords or API keys.
* To investigate this event, you can use the kubectl command to check the logs of the container where the event occurred. For example, you can use "kubectl logs `<pod_name>` -c `<container_name>`" to view the logs and look for any suspicious activity related to reading environment variables from /proc.

#### Remediation

1. Isolate Environment Variables Using ConfigMaps:
   * Instead of allowing environment variables to be read from /proc, it is more secure to manage and inject environment variables using ConfigMaps or Secrets in Kubernetes.
   * Create ConfigMap
   ````yaml theme={null}
   apiVersion: v1
   kind: ConfigMap
   metadata:
    name: env-vars
   data:
    MY_ENV_VAR: "<value>"  

   - Apply the ConfigMap:
   ```kubectl apply -f configmap.yaml``` 

   ````

2. Use Secrets for Sensitive Data:
   * If the environment variable contains sensitive information (like API keys or passwords), use a Secret instead of a ConfigMap:
   ```yaml theme={null}
   apiVersion: v1
   kind: Secret
   metadata:
    name: sensitive-env-vars
   type: Opaque
   data:
    MY_SECRET_VAR: <base64-encoded-value>
   ```
   * Apply the Secret:
     `kubectl apply -f secret.yaml`

3. Mount the ConfigMap or Secret to the Pod:
   * Modify the deployment manifest to reference the ConfigMap or Secret for injecting environment variables securely:
   ```yaml theme={null}
   apiVersion: apps/v1
   kind: Deployment
   metadata:
    name: my-deployment
   spec:
     template:
       spec:
         containers:
          - name: my-container
            image: my-image
            envFrom:
              - configMapRef:
                  name: env-vars
              - secretRef:
                  name: sensitive-env-vars

   ```

4. Restrict Access to the /proc Filesystem:

   * Prevent processes from unnecessarily accessing the /proc filesystem by limiting the permissions of the container.
   * Ensure that the container is not running in privileged mode, which could allow it to access sensitive areas of the host system, including /proc. Modify the container’s security context to explicitly disable privileged access:

   ```yaml theme={null}
   securityContext:
     privileged: false
     readOnlyRootFilesystem: true
   ```
