Disallow Secrets from Env Vars

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: secrets-not-from-env-vars
 5  annotations:
 6    policies.kyverno.io/title: Disallow Secrets from Env Vars
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod, Secret
10    policies.kyverno.io/description: >-
11      Secrets used as environment variables containing sensitive information may, if not carefully controlled, 
12      be printed in log output which could be visible to unauthorized people and captured in forwarding
13      applications. This policy disallows using Secrets as environment variables.      
14spec:
15  validationFailureAction: audit
16  rules:
17  - name: secrets-not-from-env-vars
18    match:
19      resources:
20        kinds:
21        - Pod
22    validate:
23      message: "Secrets must be mounted as volumes, not as environment variables."
24      pattern:
25        spec:
26          containers:
27          - name: "*"
28            =(env):
29            - =(valueFrom):
30                X(secretKeyRef): "null"
31  - name: secrets-not-from-envfrom
32    match:
33      resources:
34        kinds:
35        - Pod
36    validate:
37      message: "Secrets must not come from envFrom statements."
38      pattern:
39        spec:
40          containers:
41          - name: "*"
42            =(envFrom):
43            - X(secretRef): "null"