uplsh580 commented on issue #60668:
URL: https://github.com/apache/airflow/issues/60668#issuecomment-3764090095
### Discussion 3
```
kubernetes_environment_variables client_id
some_uuid <- probably shouldn't be exposed
kubernetes_environment_variables client_secret
some_secret <- probably shouldn't be exposed
```
According to the official Airflow documentation, passing secrets via
environment variables is considered bad practice. Since users are encouraged to
use Kubernetes Secrets or Airflow Connections for sensitive data, I believe
kubernetes_environment_variables should not ideally contain sensitive
information that requires masking.
> ### NOT masking when using environment variables
> When you are using some operators - for example
[airflow.providers.cncf.kubernetes.operators.pod.KubernetesPodOperator](https://airflow.apache.org/docs/apache-airflow-providers-cncf-kubernetes/stable/_api/airflow/providers/cncf/kubernetes/operators/pod/index.html#airflow.providers.cncf.kubernetes.operators.pod.KubernetesPodOperator),
you might be tempted to pass secrets via environment variables. This is very
bad practice because the environment variables are visible to anyone who has
access to see the environment of the process - such secrets passed by
environment variables will NOT be masked by Airflow.
>
> If you need to pass secrets to the KubernetesPodOperator, you should use
native Kubernetes secrets or use Airflow Connection or Variables to retrieve
the secrets dynamically.
https://airflow.apache.org/docs/apache-airflow/stable/security/secrets/mask-sensitive-values.html#not-masking-when-using-environment-variables
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
