mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity
kyverno/samples/DisallowSecretsFromEnvVars.md
Chip Zoller 2c86496728
Add new sample policies (#1272) 
* new samples; updates

* typos

* add policy to restrict LoadBalancer

* correct sample numbering

* fix typos

* add EnsurePodProbesDifferent

* add DisallowSecrets policy

* add AddDefaultLabels policy

* typo
2020-11-18 14:58:32 -08:00

1.3 KiB
Raw Blame History

Disallow Secrets from environment variables

Secrets in Kubernetes are often sensitive pieces of information whose content should be protected. Although they can be used in many ways, when mounting them as environment variables, some applications can write their values to STDOUT revealing this sensitive information in log files and potentially other exposure. As a best practice, Kubernetes Secrets should be mounted instead as volumes.

This sample policy checks any incoming Pod manifests and ensures that Secrets are not mounted as environment variables.

More Information

Policy YAML

disallow_secrets_from_env_vars.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: secrets-not-from-env-vars
spec:
  background: false
  validationFailureAction: audit
  rules:
  - name: secrets-not-from-env-vars
    match:
    resources:
        kinds:
        - Pod
    validate:
      message: "Secrets must be mounted as volumes, not as environment variables."
      pattern:
        spec:
          containers:
          - name: "*"
            =(env):
            - =(valueFrom):
                X(secretKeyRef): "null"