Disallow Secrets from Env Vars

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: secrets-not-from-env-vars
 5  annotations:
 6    policies.kyverno.io/title: Disallow Secrets from Env Vars
 7    policies.kyverno.io/category: Sample, EKS Best Practices
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod, Secret
10    kyverno.io/kyverno-version: 1.6.0
11    policies.kyverno.io/description: >-
12      Secrets used as environment variables containing sensitive information may, if not carefully controlled, 
13      be printed in log output which could be visible to unauthorized people and captured in forwarding
14      applications. This policy disallows using Secrets as environment variables.
15spec:
16  validationFailureAction: Audit
17  background: true
18  rules:
19  - name: secrets-not-from-env-vars
20    match:
21      any:
22      - resources:
23          kinds:
24          - Pod
25    validate:
26      message: "Secrets must be mounted as volumes, not as environment variables."
27      pattern:
28        spec:
29          containers:
30          - name: "*"
31            =(env):
32            - =(valueFrom):
33                X(secretKeyRef): "null"
34  - name: secrets-not-from-envfrom
35    match:
36      any:
37      - resources:
38          kinds:
39          - Pod
40    validate:
41      message: "Secrets must not come from envFrom statements."
42      pattern:
43        spec:
44          containers:
45          - name: "*"
46            =(envFrom):
47            - X(secretRef): "null"