Add notes about passing secrets via environment variables

docs/apache-airflow-providers-cncf-kubernetes/operators.rst

@@ -278,6 +278,15 @@ Example:
         callbacks=MyCallback,
     )
 
+Passing secrets
+^^^^^^^^^^^^^^^
+
+Never use environment variables to pass secrets (for example connection authentication information) to
+Kubernetes Pod Operator. Such environment variables will be visible to anyone who has access
+to see and describe PODs in Kubernetes. Instead, pass your secrets via native Kubernetes ``Secrets`` or
+use Connections and Variables from Airflow. For the latter, you need to have ``apache-airflow`` package
+installed in your image in the same version as airflow you run your Kubernetes Pod Operator from).
+
 Reference
 ^^^^^^^^^
 For further information, look at:

docs/apache-airflow/security/secrets/mask-sensitive-values.rst

@@ -78,3 +78,14 @@ or
             ...
 
 The mask must be set before any log/output is produced to have any effect.
+
+NOT masking when using environment variables
+""""""""""""""""""""""""""""""""""""""""""""
+
+When you are using some operators - for example :class:`airflow.providers.cncf.kubernetes.operators.pod.KubernetesPodOperator`,
+you might be tempted to pass secrets via environment variables. This is very bad practice because the environment
+variables are visible to anyone who has access to see the environment of the process - such secrets passed by
+environment variables will NOT be masked by Airflow.
+
+If you need to pass secrets to the KubernetesPodOperator, you should use native Kubernetes secrets or
+use Airflow Connection or Variables to retrieve the secrets dynamically.