Infrastructure as Code

Your terraform.tfstate file is committed to your repository or stored in an unencrypted, publicly accessible location — it contains every secret and resource ID in your infrastructure.

AWS, GCP, or Azure credentials are hardcoded in your .tf files instead of using environment variables or instance roles, committing cloud access keys to version control.

Your Kubernetes pod runs with securityContext.privileged: true, giving the container full access to the host kernel and effectively bypassing container isolation.

Pods running with the default service account inherit cluster-level RBAC permissions that are often far more powerful than the workload needs, enabling lateral movement if the pod is compromised.

Passwords, API keys, and other secrets are hardcoded directly in Helm values.yaml files, which get committed to version control and exposed to anyone with repository access.

Without NetworkPolicy resources, every pod in the cluster can communicate with every other pod on any port, enabling unrestricted lateral movement after a single pod is compromised.

Kubernetes Secrets are stored as base64-encoded plaintext in etcd by default, meaning anyone with access to the etcd datastore or its backups can read every secret in the cluster.

Without running terraform plan in CI or a drift detection tool, manual changes to cloud resources go undetected, creating security gaps between your declared infrastructure and what actually runs in production.