Disallow Secrets from Env Vars in CEL expressions

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: secrets-not-from-env-vars
 5  annotations:
 6    policies.kyverno.io/title: Disallow Secrets from Env Vars in CEL expressions
 7    policies.kyverno.io/category: Sample, EKS Best Practices in CEL 
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod, Secret
10    kyverno.io/kyverno-version: 1.11.0
11    kyverno.io/kubernetes-version: "1.26-1.27"
12    policies.kyverno.io/description: >-
13      Secrets used as environment variables containing sensitive information may, if not carefully controlled, 
14      be printed in log output which could be visible to unauthorized people and captured in forwarding
15      applications. This policy disallows using Secrets as environment variables.
16spec:
17  validationFailureAction: Audit
18  background: true
19  rules:
20  - name: secrets-not-from-env-vars
21    match:
22      any:
23      - resources:
24          kinds:
25          - Pod
26          operations:
27          - CREATE
28          - UPDATE
29    validate:
30      cel:
31        expressions:
32          - expression: "object.spec.containers.all(container, container.?env.orValue([]).all(env, env.?valueFrom.?secretKeyRef.orValue(true)))"
33            message: "Secrets must be mounted as volumes, not as environment variables."
34          - expression: "object.spec.containers.all(container, container.?envFrom.orValue([]).all(envFrom, !has(envFrom.secretRef)))"
35            message: "Secrets must not come from envFrom statements."
36