Secrethor is a Kubernetes Operator designed to enforce and automate security best practices for secrets management across your Kubernetes clusters. It provides a robust framework for implementing security policies, ensuring compliance, and maintaining operational control over sensitive credentials.
-
Real-time Policy Enforcement
- Admission webhook for immediate validation of secret creation/updates
- Declarative policy definitions using Custom Resource Definitions (CRDs)
- Comprehensive secret validation rules
-
Policy Management
- Namespace-based access control (
allowedNamespaces) - Secret lifecycle management (
maxAgeDays) - Type restrictions (
allowedTypes) - Key-level validation (
requiredKeys,forbiddenKeys) - Advanced content validation (
valueConstraints)
- Namespace-based access control (
-
Security & Compliance
- Built-in support for common compliance frameworks
- Automated secret rotation capabilities
- Audit logging and monitoring integration
- Kubernetes cluster (v1.11.3+)
- Go (v1.22.0+)
- Docker (17.03+)
- kubectl (v1.11.3+)
- cert-manager (installed on cluster)
It enables teams to define SecretPolicy CRDs that validate how and where Kubernetes Secrets are created β ensuring governance, compliance, and operational control over sensitive credentials.
helm repo add secrethor https://miltlima.github.io/secrethor helm install secrethor secrethor/secrethor \
--namespace secrethor-system \
--create-namespace \
--set webhook.enabled=falsehelm upgrade secrethor secrethor/secrethor \
--namespace secrethor-system \
--set webhook.enabled=truenamespace:
create: truehelm uninstall secrethor --namespace secrethor-system
kubectl delete validatingwebhookconfiguration secrets.secrethor.dev --ignore-not-found# Deploy the operator
make deploy IMG=docker.io/bonovoo/secrethor:latest
# Verify installation
kubectl get pods -n secrethor-systemapiVersion: secrets.secrethor.dev/v1alpha1
kind: SecretPolicy
metadata:
name: production-policy
spec:
allowedNamespaces:
- production
- staging
maxAgeDays: 30
allowedTypes:
- Opaque
- kubernetes.io/basic-auth
- kubernetes.io/dockerconfigjson
requiredKeys:
- username
- password
forbiddenKeys:
- token
- privateKey
valueConstraints:
password:
minLength: 12
mustContain:
- upper
- lower
- number
- special
username:
minLength: 4
regex: "^[a-zA-Z0-9_.-]+$"allowedNamespaces: List of namespaces where secrets can be created- Use cases:
- Prevent secrets in untrusted namespaces
- Enforce namespace-based access control
- Support multi-tenant environments
maxAgeDays: Maximum age of secrets before rotation- Benefits:
- Automated secret rotation ( to be implemented)
- Reduced risk of long-lived credentials
- Compliance with security standards
-
valueConstraints: Define rules for secret values -
Supported validations:
- Minimum length requirements
- Character type requirements
- Custom regex patterns
- Forbidden patterns
-
Prevents sensitive secrets from being created in non-secure namespaces
-
Encourages security best practices and namespace segmentation
-
Helps ensure compliance with standards like PCI, SOC2, ISO, GDPR
If a Secret is created in a namespace not listed in allowedNamespaces, Secrethor will deny the request.
- Expired secrets detection
- Unused secret detection
- Secret rotation automation
- Enhanced monitoring capabilities
- OLM/OperatorHub support
- Additional secret store integrations
- Advanced compliance reporting
We welcome contributions from the community! Here's how you can help:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
Please read our Contributing Guidelines for more details.
Apache License - see LICENSE file for details.
Built with β€οΈ by Milton Lima de Jesus