Using Kubernetes Native Secret Management

YAML Configuration

rule.yaml YAML

apiVersion: rules.spotter.dev/v1alpha1
kind: SpotterRule
metadata:
  name: spotter-data-001
  labels:
    severity: "low"
    category: "data"
  annotations:
    rules.spotter.dev/title: "Using Kubernetes Native Secret Management"
    rules.spotter.dev/version: "1.0.0"
    rules.spotter.dev/cwe: "CWE-522"
    rules.spotter.dev/description: "Kubernetes secrets should be used for managing sensitive information."
spec:
  match:
    resources:
      kubernetes:
        apiGroups:
          - ""
        versions:
          - "v1"
        kinds:
          - Secret
        namespaces:
          include: ["*"]
          exclude: []
  cel: |
    object.kind == "Secret" && (!has(object.data) && !has(object.stringData))
  remediation:
    manual: "Use Kubernetes secrets to manage sensitive information, such as passwords, OAuth tokens, and ssh keys."
  references:
    - title: "Kubernetes Secrets"
      url: "https://kubernetes.io/docs/concepts/configuration/secret/"

Test Cases

test-cases.yaml YAML

- name: insecure sample 1 should fail
  pass: false
  input: |
    apiVersion: v1
    kind: Secret
    metadata:
      name: cluster-secrets
    data:
      # Fill with your encoded base64 CA
      certificate-authority-data: Cg==
    stringData:
      # Fill with your string Token
      bearerToken: "my-token"

- name: secure sample 1 should pass
  pass: true
  input: |
    apiVersion: secrets-store.csi.x-k8s.io/v1
    kind: SecretProviderClass
    metadata:
      name: azure-kvname
      namespace: myNameSpace
    spec:
      provider: azure
      parameters:
        usePodIdentity: "true"
        keyvaultName: "<key Vault Name>"
        objects:  |
          array:
            - |
              objectName: secret1
              objectType: secret
            - |
              objectName: key1
              objectType: key
        tenantId: "<tenant ID which the Key Vault sits under"
      secretObjects:
      - secretName: appsecrets
        data:
        - key: secret1
          objectName: secret1
        type: Opaque

Validating Admission Policy

validating-admission-policy.yaml YAML

# VAP export for spotter-data-001
# Generated from Spotter rule
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
  name: spotter-data-001
spec:
  # Add your VAP configuration here

Rule Metadata

Using Kubernetes Native Secret Management

YAML Configuration

Test Cases

Validating Admission Policy

Rule Metadata

Rule Information

Tags & Compliance

Compliance Standards

General Tags

Spotter Hub