Skip to content

Add Ephemeral Credentials TTL Validator Policy #1268

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
yrsuthari wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add Ephemeral Credentials TTL Validator Policy #1268

yrsuthari wants to merge 3 commits into from

Conversation

@yrsuthari
Copy link

@yrsuthari yrsuthari commented Mar 31, 2025

Add simple TTL validator for Kubernetes Secrets

Overview

This PR introduces a simplified Ephemeral Credentials TTL Validator policy that enforces proper credential lifecycle management by requiring TTL annotations on all Kubernetes Secrets. This helps reduce security risks associated with long-lived credentials.

Changes

  • Added simple-policy.yaml - a Kyverno ClusterPolicy that enforces TTL annotations on Secrets
  • Updated README.md with documentation and testing instructions
  • Created test cases that demonstrate policy compliance enforcement

Implementation Details

  • Policy runs in Audit mode to report violations without blocking resource creation
  • Validates that all Secrets have the secrets.kubernetes.io/ttl annotation
  • Excludes system namespaces (kube-system, kube-public)
  • Supports Kubernetes duration format for TTL values (e.g., "24h", "7d")

Testing

Policy has been tested with:

  • Compliant Secret with TTL annotation
  • Non-compliant Secret without TTL annotation
  • Verification via policy events and violation reports

Security Benefits

  • Reduces risk of forgotten credentials becoming security blind spots
  • Limits attacker access window when credentials are compromised
  • Establishes audit trails for credential renewal
  • Aligns with zero-trust security principles and industry best practices

@yrsuthari
Add Ephemeral Credentials TTL Validator Policy
13eaa58 
This adds a simple Kubernetes Secret TTL validation policy that enforces proper credential lifecycle management by requiring TTL annotations. Includes test cases and documentation.

Signed-off-by: Yogi Suthari <[email protected]>
@yrsuthari yrsuthari mentioned this pull request Apr 11, 2025
Merged
realshuting
realshuting reviewed Apr 16, 2025
View reviewed changes
@yrsuthari yrsuthari requested a review from realshuting August 17, 2025 18:39
@JimBugwadia JimBugwadia enabled auto-merge (squash) October 22, 2025 17:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JimBugwadia JimBugwadia JimBugwadia approved these changes

@realshuting realshuting Awaiting requested review from realshuting

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@yrsuthari @JimBugwadia @realshuting