Secrets often contain sensitive information and their access should be carefully controlled. Although Kubernetes RBAC can be effective at restricting them in several ways, it lacks the ability to use wildcards in resource names. This policy ensures that only Secrets beginning with the name `safe-` can be consumed by Pods. In order to work effectively, this policy needs to be paired with a separate policy or rule to require `automountServiceAccountToken=false` since this would otherwise result in a Secret being mounted.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: restrict-secrets-by-nameannotations:policies.kyverno.io/title: Restrict Secrets by Name in CEL expressionspolicies.kyverno.io/category: Other in CELpolicies.kyverno.io/subject: Pod, Secretkyverno.io/kyverno-version: 1.11.0kyverno.io/kubernetes-version: 1.26-1.27policies.kyverno.io/description: Secrets often contain sensitive information and their access should be carefully controlled. Although Kubernetes RBAC can be effective at restricting them in several ways, it lacks the ability to use wildcards in resource names. This policy ensures that only Secrets beginning with the name `safe-` can be consumed by Pods. In order to work effectively, this policy needs to be paired with a separate policy or rule to require `automountServiceAccountToken=false` since this would otherwise result in a Secret being mounted.spec:background: falsevalidationFailureAction: Auditrules:- name: safe-secrets-from-envmatch:any:- resources:kinds:- Podoperations:- CREATE- UPDATEvalidate:cel:variables:- name: allContainersexpression: object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])expressions:- expression: variables.allContainers.all(container, container.?env.orValue([]).all(env, env.?valueFrom.?secretKeyRef.?name.orValue('safe-').startsWith("safe-")))message: Only Secrets beginning with `safe-` may be consumed in env statements.- name: safe-secrets-from-envfrommatch:any:- resources:kinds:- Podoperations:- CREATE- UPDATEvalidate:cel:variables:- name: allContainersexpression: object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])expressions:- expression: variables.allContainers.all(container, container.?envFrom.orValue([]).all(env, env.?secretRef.?name.orValue('safe-').startsWith("safe-")))message: Only Secrets beginning with `safe-` may be consumed in envFrom statements.- name: safe-secrets-from-volumesmatch:any:- resources:kinds:- Podoperations:- CREATE- UPDATEvalidate:cel:expressions:- expression: object.spec.?volumes.orValue([]).all(volume, volume.?secret.?secretName.orValue('safe-').startsWith("safe-"))message: Only Secrets beginning with `safe-` may be consumed in volumes.
This policy performs some best practices validation on Application fields. Path or chart must be specified but never both. And destination.name or destination.server must be specified but never both.
This policy prevents the use of the default project in an Application.
This policy prevents updates to the project field after an Application is created.