Disallow Secrets from Env Vars
Sample policy to disallow using secrets from environment variables which are visible in resource definitions.
apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: secrets-not-from-env-vars annotations: policies.kyverno.io/title: Disallow Secrets from Env Vars policies.kyverno.io/category: Sample policies.kyverno.io/description: >- Sample policy to disallow using secrets from environment variables which are visible in resource definitions. spec: validationFailureAction: audit rules: - name: secrets-not-from-env-vars match: resources: kinds: - Pod validate: message: "Secrets must be mounted as volumes, not as environment variables." pattern: spec: containers: - name: "*" =(env): - =(valueFrom): X(secretKeyRef): "null"
Last modified January 2, 2021: fix title & sort and regen policies (fa7e171)