Add notes about passing secrets via environment variables (#40519)

(cherry picked from commit 07e6eb8)
apache · Jul 2, 2024 · fd46830 · fd46830
1 parent d122959
commit fd46830
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/docs/apache-airflow-providers-cncf-kubernetes/operators.rst b/docs/apache-airflow-providers-cncf-kubernetes/operators.rst
@@ -278,6 +278,15 @@ Example:
         callbacks=MyCallback,
     )
 
+Passing secrets
+^^^^^^^^^^^^^^^
+
+Never use environment variables to pass secrets (for example connection authentication information) to
+Kubernetes Pod Operator. Such environment variables will be visible to anyone who has access
+to see and describe PODs in Kubernetes. Instead, pass your secrets via native Kubernetes ``Secrets`` or
+use Connections and Variables from Airflow. For the latter, you need to have ``apache-airflow`` package
+installed in your image in the same version as airflow you run your Kubernetes Pod Operator from).
+
 Reference
 ^^^^^^^^^
 For further information, look at:

diff --git a/docs/apache-airflow/security/secrets/mask-sensitive-values.rst b/docs/apache-airflow/security/secrets/mask-sensitive-values.rst
@@ -78,3 +78,14 @@ or
             ...
 
 The mask must be set before any log/output is produced to have any effect.
+
+NOT masking when using environment variables
+""""""""""""""""""""""""""""""""""""""""""""
+
+When you are using some operators - for example :class:`airflow.providers.cncf.kubernetes.operators.pod.KubernetesPodOperator`,
+you might be tempted to pass secrets via environment variables. This is very bad practice because the environment
+variables are visible to anyone who has access to see the environment of the process - such secrets passed by
+environment variables will NOT be masked by Airflow.
+
+If you need to pass secrets to the KubernetesPodOperator, you should use native Kubernetes secrets or
+use Airflow Connection or Variables to retrieve the secrets dynamically.