---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: secrets-not-from-env-vars
spec:
  admission: true
  background: false
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Pod
    name: secrets-not-from-env-vars
    validate:
      message: Secrets must be mounted as volumes, not as environment variables.
      pattern:
        spec:
          containers:
          - =(env):
            - =(valueFrom):
                X(secretKeyRef): "null"
            name: '*'
  validationFailureAction: Audit