We observed that your manifest exposes Kubernetes secrets directly in environment variable declarations or volume mounts using secretKeyRef and secret fields without proper restrictions. This practice is considered insecure and may lead to unintentional leakage of sensitive data such as credentials or API tokens.
We provide supporting evidence from https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-12/gain-environment-information-in-kubernetes-cluster
which highlights insecure secret management as a common misconfiguration leading to Credential Access vulnerabilities.

Location:

This pattern makes secrets easily accessible to any process running within the container, and does not provide mechanisms like auditing, expiration, or access controls beyond basic RBAC. If multiple containers share a pod, any of them can access the same environment variables or mounted secret volumes.

Expected Behavior:
Secrets should be stored securely, injected on-demand, and rotated regularly. Only explicitly authorized containers should be able to access secrets, with strict privilege separation enforced.

Suggested Fix:
Integrate a secrets manager such as HashiCorp Vault