This is an automated email from the ASF dual-hosted git repository. utkarsharma pushed a commit to branch v2-9-test in repository https://gitbox.apache.org/repos/asf/airflow.git
commit 998c3645ce62deaed494538307e61707e89b05d4 Author: Jarek Potiuk <[email protected]> AuthorDate: Mon Jul 1 16:50:46 2024 +0200 Add notes about passing secrets via environment variables (#40519) (cherry picked from commit 07e6eb8e36d2a1c4a7f2e408821997a06d57d0fe) --- docs/apache-airflow-providers-cncf-kubernetes/operators.rst | 9 +++++++++ .../apache-airflow/security/secrets/mask-sensitive-values.rst | 11 +++++++++++ 2 files changed, 20 insertions(+) diff --git a/docs/apache-airflow-providers-cncf-kubernetes/operators.rst b/docs/apache-airflow-providers-cncf-kubernetes/operators.rst index 80541f315c..5d2f9aef62 100644 --- a/docs/apache-airflow-providers-cncf-kubernetes/operators.rst +++ b/docs/apache-airflow-providers-cncf-kubernetes/operators.rst @@ -278,6 +278,15 @@ Example: callbacks=MyCallback, ) +Passing secrets +^^^^^^^^^^^^^^^ + +Never use environment variables to pass secrets (for example connection authentication information) to +Kubernetes Pod Operator. Such environment variables will be visible to anyone who has access +to see and describe PODs in Kubernetes. Instead, pass your secrets via native Kubernetes ``Secrets`` or +use Connections and Variables from Airflow. For the latter, you need to have ``apache-airflow`` package +installed in your image in the same version as airflow you run your Kubernetes Pod Operator from). + Reference ^^^^^^^^^ For further information, look at: diff --git a/docs/apache-airflow/security/secrets/mask-sensitive-values.rst b/docs/apache-airflow/security/secrets/mask-sensitive-values.rst index 913fc12473..1c3974a3ff 100644 --- a/docs/apache-airflow/security/secrets/mask-sensitive-values.rst +++ b/docs/apache-airflow/security/secrets/mask-sensitive-values.rst @@ -78,3 +78,14 @@ or ... The mask must be set before any log/output is produced to have any effect. + +NOT masking when using environment variables +"""""""""""""""""""""""""""""""""""""""""""" + +When you are using some operators - for example :class:`airflow.providers.cncf.kubernetes.operators.pod.KubernetesPodOperator`, +you might be tempted to pass secrets via environment variables. This is very bad practice because the environment +variables are visible to anyone who has access to see the environment of the process - such secrets passed by +environment variables will NOT be masked by Airflow. + +If you need to pass secrets to the KubernetesPodOperator, you should use native Kubernetes secrets or +use Airflow Connection or Variables to retrieve the secrets dynamically.
