Docs
Blog
Kubevious.io places cookies on your computer or device to make the site work better and to help us understand how you use our site. Further use of this site (by clicking, navigating or scrolling) will be considered consent. Please visit our privacy policy for more information.
Guard
Features
Application Centric UI
Health Monitoring
Cloud Native Tools
Search Engine
Time Machine
Rules Engine
Slack Bot
Built-in Validators
Container
Compute
Configuration
Unused ConfigMap
Unused Secret
Networking
Storage
RBAC
Security
Traefik Proxy
Docs
Built-in Validators
Configuration

Unused Secret

Secrets are used to store sensitive data. Secrets can be used in containers as environment variables or mounted as volumes. Secrets are also used in ServiceAccounts to store the token when accessing Kubernetes API Server. This validator detects when a Secret is not mounted to a volume, not used as container environment variables and not used in any ServiceAccounts. That can be an indication of a typo in a Secret name or Secret references in volume mount, projections, environment variables or ServiceAccounts.

Affected Resources: Secret

Examples

apiVersion: v1 kind: Secret metadata: name: secret-foo # This Secret is not used elsewhere data: my-key: bXktdmFsdWU=
kind: Deployment spec: template: spec: containers: - name: my-container env: - name: MY_ENV_VAR valueFrom: secretKeyRef: name: secret-foo-1 # This Secret is not present key: my-key envFrom: - secretRef: name: secret-foo-2 # This Secret is not present
kind: Deployment spec: template: spec: volumes: - name: my-secret-volume secret: name: secret-bar # This Secret is not present

Resolution

  • Examine applications within the namespace and determine if the Secret is supposed to be mounted to the file system, used as environment variables or used in ServiceAccounts.
  • If the Secret is supposed to be used in volume maps, either correct the Secret name or the reference name.
  • If the Secret is indeed unused, it may need to be just removed.
  • There is a possible false positive trigger for this validator. A Secret can be used by other third-party apps or using direct Kubernetes APIs. Such a condition cannot be detected using in Kubevious, so in such a case, this validator can be turned off or warning just ignored.
    • Prev
    Unused ConfigMap
    Next
    Networking

    Need other validation rules?

    Please let us know if there are other built-in validation rules you would like to see in Kubevious to detect misconfigurations and violations to best practices. Optionally, you can provide your details so we can reach out to you with follow-up questions.

    Share this article on:
    message
    PRODUCTGet StartedDemoOpen-Source
    COMPANYContactPrivacy PolicyTerms and Conditions
    KNOWLEDGE BASEDocumentationKubernetes Best PracticesBlog