All Policies
Restrict Secrets by Name
Secrets often contain sensitive information and their access should be carefully controlled. Although Kubernetes RBAC can be effective at restricting them in several ways, it lacks the ability to use wildcards in resource names. This policy ensures that only Secrets beginning with the name `safe-` can be consumed by Pods. In order to work effectively, this policy needs to be paired with a separate policy or rule to require `automountServiceAccountToken=false` since this would otherwise result in a Secret being mounted.
Policy Definition
/other/restrict-secrets-by-name/restrict-secrets-by-name.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: restrict-secrets-by-name
5 annotations:
6 policies.kyverno.io/title: Restrict Secrets by Name
7 policies.kyverno.io/category: Other
8 policies.kyverno.io/subject: Pod, Secret
9 kyverno.io/kyverno-version: 1.6.0
10 kyverno.io/kubernetes-version: "1.21"
11 policies.kyverno.io/description: >-
12 Secrets often contain sensitive information and their access should be carefully controlled.
13 Although Kubernetes RBAC can be effective at restricting them in several ways,
14 it lacks the ability to use wildcards in resource names. This policy ensures
15 that only Secrets beginning with the name `safe-` can be consumed by Pods.
16 In order to work effectively, this policy needs to be paired with a separate policy
17 or rule to require `automountServiceAccountToken=false` since this would otherwise
18 result in a Secret being mounted.
19spec:
20 background: false
21 validationFailureAction: Enforce
22 rules:
23 - name: safe-secrets-from-env
24 match:
25 any:
26 - resources:
27 kinds:
28 - Pod
29 preconditions:
30 all:
31 - key: "{{request.operation || 'BACKGROUND'}}"
32 operator: AnyIn
33 value:
34 - CREATE
35 - UPDATE
36 validate:
37 message: "Only Secrets beginning with `safe-` may be consumed in env statements."
38 pattern:
39 spec:
40 =(ephemeralContainers):
41 - =(name): "*"
42 =(env):
43 - =(valueFrom):
44 =(secretKeyRef):
45 name: safe-*
46 =(initContainers):
47 - =(name): "*"
48 =(env):
49 - =(valueFrom):
50 =(secretKeyRef):
51 name: safe-*
52 containers:
53 - name: "*"
54 =(env):
55 - =(valueFrom):
56 =(secretKeyRef):
57 name: safe-*
58 - name: safe-secrets-from-envfrom
59 match:
60 any:
61 - resources:
62 kinds:
63 - Pod
64 preconditions:
65 all:
66 - key: "{{request.operation || 'BACKGROUND'}}"
67 operator: AnyIn
68 value:
69 - CREATE
70 - UPDATE
71 validate:
72 message: "Only Secrets beginning with `safe-` may be consumed in envFrom statements."
73 pattern:
74 spec:
75 =(ephemeralContainers):
76 - =(name): "*"
77 =(envFrom):
78 - =(secretRef):
79 name: safe-*
80 =(initContainers):
81 - =(name): "*"
82 =(envFrom):
83 - =(secretRef):
84 name: safe-*
85 containers:
86 - name: "*"
87 =(envFrom):
88 - =(secretRef):
89 name: safe-*
90 - name: safe-secrets-from-volumes
91 match:
92 any:
93 - resources:
94 kinds:
95 - Pod
96 preconditions:
97 all:
98 - key: "{{request.operation || 'BACKGROUND'}}"
99 operator: AnyIn
100 value:
101 - CREATE
102 - UPDATE
103 validate:
104 message: "Only Secrets beginning with `safe-` may be consumed in volumes."
105 pattern:
106 spec:
107 =(volumes):
108 - =(secret):
109 secretName: safe-*