Exposure of Kubernetes secrets via insecure secretKeyRef usage

[zyue110026]

We observed that your manifest exposes Kubernetes secrets directly in environment variable declarations or volume mounts using secretKeyRef and secret fields without proper restrictions. This practice is considered insecure and may lead to unintentional leakage of sensitive data such as credentials or API tokens.

We provide supporting evidence from https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-12/gain-environment-information-in-kubernetes-cluster
which highlights insecure secret management as a common misconfiguration leading to Credential Access vulnerabilities.

This pattern makes secrets easily accessible to any process running within the container, and does not provide mechanisms like auditing, expiration, or access controls beyond basic RBAC. If multiple containers share a pod, any of them can access the same environment variables or mounted secret volumes.

location:

mysql-operator/deploy/charts/mysql-operator/templates/statefulset.yaml

Lines 44 to 53 in 37c6410

	- name: ORC_TOPOLOGY_USER
	valueFrom:
	secretKeyRef:
	name: {{ include "orchestrator.secretName" . }}
	key: TOPOLOGY_USER
	- name: ORC_TOPOLOGY_PASSWORD
	valueFrom:
	secretKeyRef:
	name: {{ include "orchestrator.secretName" . }}
	key: TOPOLOGY_PASSWORD

Suggested Fix:
Integrate a secrets manager such as HashiCorp Vault