mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-09 01:16:55 +00:00
2c86496728
* new samples; updates * typos * add policy to restrict LoadBalancer * correct sample numbering * fix typos * add EnsurePodProbesDifferent * add DisallowSecrets policy * add AddDefaultLabels policy * typo
38 lines
1.3 KiB
Markdown
38 lines
1.3 KiB
Markdown
# Disallow Secrets from environment variables
|
|
|
|
Secrets in Kubernetes are often sensitive pieces of information whose content should be protected. Although they can be used in many ways, when mounting them as environment variables, some applications can write their values to STDOUT revealing this sensitive information in log files and potentially other exposure. As a best practice, Kubernetes Secrets should be mounted instead as volumes.
|
|
|
|
This sample policy checks any incoming Pod manifests and ensures that Secrets are not mounted as environment variables.
|
|
|
|
## More Information
|
|
|
|
* [Kubernetes Secrets](https://kubernetes.io/docs/concepts/configuration/secret/)
|
|
|
|
## Policy YAML
|
|
|
|
[disallow_secrets_from_env_vars.yaml](more/disallow_secrets_from_env_vars.yaml)
|
|
|
|
```yaml
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: secrets-not-from-env-vars
|
|
spec:
|
|
background: false
|
|
validationFailureAction: audit
|
|
rules:
|
|
- name: secrets-not-from-env-vars
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Pod
|
|
validate:
|
|
message: "Secrets must be mounted as volumes, not as environment variables."
|
|
pattern:
|
|
spec:
|
|
containers:
|
|
- name: "*"
|
|
=(env):
|
|
- =(valueFrom):
|
|
X(secretKeyRef): "null"
|
|
```
|