Disabling creation of secrets in an AKS Cluster? #4288
Unanswered
johnpetersjr
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi all,
I'd like to try using an Azure Policy to enforce users to not store / use secrets in their namespaces. Has anyone tried this before?
I have given the users a way to seamlessly connect to an Azure Vault from their pods using managed identities, so they can get secrets directly from there. My security team would like to see no-one using a Kubernetes Secret ever again, if possible, hence my thought of disabling AKS secrets...
I was thinking along the lines of this built-in policy ContainerDisalllowedCapabilities to essentially white-list things like nginx or kube-system in case they really need to use secrets, but then block all other namespaces from the 'capability' of using secrets.
Is this possible? Or is this a different/better way to do this?
Beta Was this translation helpful? Give feedback.
All reactions