I do not understand how the standard practice to pass secrets as environment variables to containers considered as safe? [duplicate]
TL;DR
The container's environment variable can be queried many ways, with native docker tools or 3rd party tools. The docker admin user (or any user in the docker group) not necessary dba on a container's image, still can dump the root(mysql,mariadb)/superuser/sa/etc password.
In many reputable open source project's docker hub official container follows the practice to pass secrets as environment variables. To be clear, I am not talking about how to keep safe secret those values in docker-compose.yml or docker run scripts, or in any more sophisticated IAC solution. (and how not to commit that to a repo, how not to show up them in log files, etc) That is and other story, and there are best practice solutions for that.
My question is about what I described in TL;DR that any docker admin can freely dump those secrets, let it be any kind of software. Some cases we can say, that with (root?) access within the container no secrets remain uncovered there, but even this is not fully true, many installed software keep its secrets relatively safe even this scenario.
Now with secrets in environment variables practice we keeping live, simply accessible all secrets. Plus storing them in docker engine's metainfo, as it remembers the launch context, so there are two easy way for the docker admin to fetch those secrets, either query the docker engine, either exec into the container and run env...
Edit
Many thx for the links.
I think neither answers the exposed thoughts below. Maybe my phrasing, or the OP title was not/is not clear.
Should I rephrase the question something like this "Why still a standard practice to pass secrets as env variables, when in 2024 it is clear this is not only an enhanced security risk but also a malpractice by design"?
All links you provided
does not mention one of the main argument, neither in question neither in answer, that a sysadmin of one host can see secrets of an other hosts. Think about it, even root can not see others secrets (for example passwords) on the very same host. Now how it is possible that a user in the docker group in one host can see a deployed container's secrets?
one of the 2015s answer mentions that maybe who uses env vars does not aware the malpractice because Docker is relatively new. This is not an answer in 2024, especially not an answer to the rephrased question
one of the answer mentions that passing secrets in env variables can be safe "but only in case if immediately deleting them", which is definitely not the case. So this is not also not an answer. Those containers keeping the secrets. The new official WordPress container even use it all runtime, because the config file reads them from the environment "runtime"
Neither answer or questions mention, that not only the env variables store the secret, those are also stored by the docker engine as the start context, so even the container logic would allow to delete the variables later, the engine still stores them as metainfo (it is the prerequisite for automatic restart for example), and can be queried later.
