Responsible Disclosure

[Workifi]

Dear Kubernetes Security Team,

I hope this message finds you well.

During a routine security review of Kubernetes-related code, I came across what appears to be a case of poor security hygiene in the cluster-autoscaler repository, specifically in the Brightbox cloud provider integration.

In the following file:
https://github.com/kubernetes/autoscaler/blob/31caf5b0bf0f5eea79a265c7e82b107f268c25fc/cluster-autoscaler/cloudprovider/brightbox/k8ssdk/testing.go#L90

There are hardcoded authentication values present

While I understand this code is located within a test file, embedding real-looking credentials or tokens—even in test contexts—represents poor security practice and can be misleading or risky, especially if reused or misconfigured in production environments.

Exposing such secrets, even in tests, contradicts secure coding principles and could be flagged during audits or automated scans. Given Kubernetes' critical position in cloud infrastructure, maintaining consistent security hygiene across all components—test or otherwise—is essential.

I am not certain whether this qualifies as an active vulnerability, but I felt it was important to bring this to your attention directly and responsibly. Please note: I have not attempted to test, validate, or exploit any of the exposed information in any way.

Let me know if this should be re-routed through your bug bounty program or if further details are needed.

Sincerely,