All Policies

Restrict Secrets by Name

Secrets often contain sensitive information and their access should be carefully controlled. Although Kubernetes RBAC can be effective at restricting them in several ways, it lacks the ability to use wildcards in resource names. This policy ensures that only Secrets beginning with the name `safe-` can be consumed by Pods. In order to work effectively, this policy needs to be paired with a separate policy or rule to require `automountServiceAccountToken=false` since this would otherwise result in a Secret being mounted.

Policy Definition

/other/restrict_secrets_by_name/restrict-secrets-by-name.yaml

  1apiVersion: kyverno.io/v1
  2kind: ClusterPolicy
  3metadata:
  4  name: restrict-secrets-by-name
  5  annotations:
  6    policies.kyverno.io/title: Restrict Secrets by Name
  7    policies.kyverno.io/category: Other
  8    policies.kyverno.io/subject: Pod, Secret
  9    kyverno.io/kyverno-version: 1.5.1
 10    kyverno.io/kubernetes-version: "1.21"
 11    policies.kyverno.io/description: >-
 12      Secrets often contain sensitive information and their access should be carefully controlled.
 13      Although Kubernetes RBAC can be effective at restricting them in several ways,
 14      it lacks the ability to use wildcards in resource names. This policy ensures
 15      that only Secrets beginning with the name `safe-` can be consumed by Pods.
 16      In order to work effectively, this policy needs to be paired with a separate policy
 17      or rule to require `automountServiceAccountToken=false` since this would otherwise
 18      result in a Secret being mounted.      
 19spec:
 20  background: false
 21  validationFailureAction: enforce
 22  rules:
 23  - name: safe-secrets-from-env
 24    match:
 25      resources:
 26        kinds:
 27        - Pod
 28    preconditions:
 29      all:
 30      - key: "{{request.operation}}"
 31        operator: In
 32        value:
 33        - CREATE
 34        - UPDATE
 35    validate:
 36      message: "Only Secrets beginning with `safe-` may be consumed in env statements."
 37      pattern:
 38        spec:
 39          =(ephemeralContainers):
 40          - =(name): "*"
 41            =(env):
 42            - =(valueFrom):
 43                =(secretKeyRef):
 44                    name: safe-*
 45          =(initContainers):
 46          - =(name): "*"
 47            =(env):
 48            - =(valueFrom):
 49                =(secretKeyRef):
 50                    name: safe-*
 51          containers:
 52          - name: "*"
 53            =(env):
 54            - =(valueFrom):
 55                =(secretKeyRef):
 56                    name: safe-*
 57  - name: safe-secrets-from-envfrom
 58    match:
 59      resources:
 60        kinds:
 61        - Pod
 62    preconditions:
 63      all:
 64      - key: "{{request.operation}}"
 65        operator: In
 66        value:
 67        - CREATE
 68        - UPDATE
 69    validate:
 70      message: "Only Secrets beginning with `safe-` may be consumed in envFrom statements."
 71      pattern:
 72        spec:
 73          =(ephemeralContainers):
 74          - =(name): "*"
 75            =(envFrom):
 76            - =(secretRef):
 77                name: safe-*
 78          =(initContainers):
 79          - =(name): "*"
 80            =(envFrom):
 81            - =(secretRef):
 82                name: safe-*
 83          containers:
 84          - name: "*"
 85            =(envFrom):
 86            - =(secretRef):
 87                name: safe-*
 88  - name: safe-secrets-from-volumes
 89    match:
 90      resources:
 91        kinds:
 92        - Pod
 93    preconditions:
 94      all:
 95      - key: "{{request.operation}}"
 96        operator: In
 97        value:
 98        - CREATE
 99        - UPDATE
100    validate:
101      message: "Only Secrets beginning with `safe-` may be consumed in volumes."
102      pattern:
103        spec:
104          =(volumes):
105          - =(secret):
106              secretName: safe-*
Create policy issue