Restrict Secret Verbs in Roles in CEL expressions

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-secret-role-verbs
 5  annotations:
 6    policies.kyverno.io/title: Restrict Secret Verbs in Roles in CEL expressions
 7    policies.kyverno.io/category: Security in CEL 
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Role, ClusterRole, RBAC
10    kyverno.io/kyverno-version: 1.11.0
11    policies.kyverno.io/minversion: 1.11.0
12    kyverno.io/kubernetes-version: "1.26-1.27"
13    policies.kyverno.io/description: >-
14      The verbs `get`, `list`, and `watch` in a Role or ClusterRole, when paired with the Secrets resource, effectively
15      allows Secrets to be read which may expose sensitive information. This policy prevents
16      a Role or ClusterRole from using these verbs in tandem with Secret resources. In order to
17      fully implement this control, it is recommended to pair this policy with another which
18      also prevents use of the wildcard ('*') in the verbs list either when explicitly naming Secrets
19      or when also using a wildcard in the base API group.
20spec:
21  validationFailureAction: Audit
22  background: true
23  rules:
24    - name: secret-verbs
25      match:
26        any:
27        - resources:
28            kinds:
29              - Role
30              - ClusterRole
31            operations:
32            - CREATE
33            - UPDATE
34      validate:
35        cel:
36          variables:
37            - name: forbiddenVerbs
38              expression: "['get','list','watch']"
39          expressions:
40            - expression: >-
41                object.rules == null || 
42                !object.rules.exists(rule, 
43                'secrets' in rule.resources && rule.verbs.exists(verb, verb in variables.forbiddenVerbs))
44              message: "Requesting verbs `get`, `list`, or `watch` on Secrets is forbidden."