Skip to content

Add Ephemeral Credentials TTL Validator Policy#1268

Open
yrsuthari wants to merge 3 commits intokyverno:mainfrom
yrsuthari:ttl-validator
Open

Add Ephemeral Credentials TTL Validator Policy#1268
yrsuthari wants to merge 3 commits intokyverno:mainfrom
yrsuthari:ttl-validator

Conversation

@yrsuthari
Copy link

@yrsuthari yrsuthari commented Mar 31, 2025

Add simple TTL validator for Kubernetes Secrets

Overview

This PR introduces a simplified Ephemeral Credentials TTL Validator policy that enforces proper credential lifecycle management by requiring TTL annotations on all Kubernetes Secrets. This helps reduce security risks associated with long-lived credentials.

Changes

  • Added simple-policy.yaml - a Kyverno ClusterPolicy that enforces TTL annotations on Secrets
  • Updated README.md with documentation and testing instructions
  • Created test cases that demonstrate policy compliance enforcement

Implementation Details

  • Policy runs in Audit mode to report violations without blocking resource creation
  • Validates that all Secrets have the secrets.kubernetes.io/ttl annotation
  • Excludes system namespaces (kube-system, kube-public)
  • Supports Kubernetes duration format for TTL values (e.g., "24h", "7d")

Testing

Policy has been tested with:

  • Compliant Secret with TTL annotation
  • Non-compliant Secret without TTL annotation
  • Verification via policy events and violation reports

Security Benefits

  • Reduces risk of forgotten credentials becoming security blind spots
  • Limits attacker access window when credentials are compromised
  • Establishes audit trails for credential renewal
  • Aligns with zero-trust security principles and industry best practices

@yrsuthari
Add Ephemeral Credentials TTL Validator Policy
13eaa58 
This adds a simple Kubernetes Secret TTL validation policy that enforces proper credential lifecycle management by requiring TTL annotations. Includes test cases and documentation.

Signed-off-by: Yogi Suthari <yrsuthari@gmail.com>
@yrsuthari yrsuthari mentioned this pull request Apr 11, 2025
Merged
realshuting
realshuting reviewed Apr 16, 2025
View reviewed changes
@yrsuthari yrsuthari requested a review from realshuting August 17, 2025 18:39
@JimBugwadia JimBugwadia enabled auto-merge (squash) October 22, 2025 17:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JimBugwadia JimBugwadia JimBugwadia approved these changes

@realshuting realshuting Awaiting requested review from realshuting

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@yrsuthari @JimBugwadia @realshuting