All Policies

Disallow all Secrets

Secrets often contain sensitive information which not all Pods need consume. This policy disables the use of all Secrets in a Pod definition. In order to work effectively, this Policy needs a separate Policy or rule to require `automountServiceAccountToken=false` at the Pod level or ServiceAccount level since this would otherwise result in a Secret being mounted.

Policy Definition

/other/disallow-all-secrets/disallow-all-secrets.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: no-secrets
 5  annotations:
 6    policies.kyverno.io/title: Disallow all Secrets
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod, Secret
10    kyverno.io/kyverno-version: 1.6.0
11    policies.kyverno.io/minversion: 1.6.0
12    kyverno.io/kubernetes-version: "1.21"
13    policies.kyverno.io/description: >-
14      Secrets often contain sensitive information which not all Pods need consume.
15      This policy disables the use of all Secrets in a Pod definition. In order to work effectively,
16      this Policy needs a separate Policy or rule to require `automountServiceAccountToken=false`
17      at the Pod level or ServiceAccount level since this would otherwise result in a Secret being mounted.
18spec:
19  validationFailureAction: Audit
20  rules:
21  - name: secrets-not-from-env
22    match:
23      any:
24      - resources:
25          kinds:
26          - Pod
27    validate:
28      message: "No Secrets from env."
29      pattern:
30        spec:
31          =(ephemeralContainers):
32          - name: "*"
33            =(env):
34            - =(valueFrom):
35                X(secretKeyRef): "null"
36          =(initContainers):
37          - name: "*"
38            =(env):
39            - =(valueFrom):
40                X(secretKeyRef): "null"
41          containers:
42          - name: "*"
43            =(env):
44            - =(valueFrom):
45                X(secretKeyRef): "null"
46  - name: secrets-not-from-envfrom
47    match:
48      any:
49      - resources:
50          kinds:
51          - Pod
52    validate:
53      message: "No Secrets from envFrom."
54      pattern:
55        spec:
56          =(ephemeralContainers):
57          - name: "*"
58            =(envFrom):
59            - X(secretRef): "null"
60          =(initContainers):
61          - name: "*"
62            =(envFrom):
63            - X(secretRef): "null"
64          containers:
65          - name: "*"
66            =(envFrom):
67            - X(secretRef): "null"
68  - name: secrets-not-from-volumes
69    match:
70      any:
71      - resources:
72          kinds:
73          - Pod
74    validate:
75      message: "No Secrets from volumes."
76      pattern:
77        spec:
78          =(volumes):
79          - X(secret): "null"
Create policy issue