convert disallow-secrets-from-env-vars to cel

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml

@@ -100,4 +100,4 @@ spec:
                   name: foo
             - image: busybox:1.35
               name: busybox02
-          restartPolicy: OnFailures
+          restartPolicy: OnFailure

other-cel/disallow-secrets-from-env-vars/.kyverno-test/kyverno-test.yaml

@@ -11,23 +11,13 @@ results:
   policy: secrets-not-from-env-vars
   resources:
   - default/secret-env-pod
+  - default/secret-ref-pod
   result: fail
   rule: secrets-not-from-env-vars
 - kind: Pod
   policy: secrets-not-from-env-vars
   resources:
-  - default/secret-ref-pod
+  - default/good-pod
   result: pass
   rule: secrets-not-from-env-vars
-- kind: Pod
-  policy: secrets-not-from-env-vars
-  resources:
-  - default/secret-ref-pod
-  result: fail
-  rule: secrets-not-from-envfrom
-- kind: Pod
-  policy: secrets-not-from-env-vars
-  resources:
-  - default/secret-env-pod
-  result: pass
-  rule: secrets-not-from-envfrom
+

other-cel/disallow-secrets-from-env-vars/.kyverno-test/resource.yaml

@@ -33,3 +33,25 @@ spec:
     - secretRef:
         name: mysecret
   restartPolicy: Never
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: good-pod
+spec:
+  containers:
+  - name: test-container
+    image: registry.k8s.io/busybox
+    env:
+    - name: ENV_VAR_1
+      value: "value1"
+    - name: ENV_VAR_2
+      value: "value2"
+    volumeMounts:
+    - name: mysecret
+      mountPath: /mnt/mysecret
+  volumes:
+  - name: mysecret
+    secret:
+      secretName: mysecret
+

other-cel/disallow-secrets-from-env-vars/artifacthub-pkg.yml

@@ -1,23 +1,24 @@
-name: disallow-secrets-from-env-vars
+name: disallow-secrets-from-env-vars-cel
 version: 1.0.0
-displayName: Disallow Secrets from Env Vars
-createdAt: "2023-04-10T20:30:04.000Z"
+displayName: Disallow Secrets from Env Vars in CEL expressions
 description: >-
   Secrets used as environment variables containing sensitive information may, if not carefully controlled,  be printed in log output which could be visible to unauthorized people and captured in forwarding applications. This policy disallows using Secrets as environment variables.
 install: |-
   ```shell
-  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml
   ```
 keywords:
   - kyverno
   - Sample
   - EKS Best Practices
+  - CEL Expressions
 readme: |
   Secrets used as environment variables containing sensitive information may, if not carefully controlled,  be printed in log output which could be visible to unauthorized people and captured in forwarding applications. This policy disallows using Secrets as environment variables.
   
   Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
 annotations:
-  kyverno/category: "Sample, EKS Best Practices"
-  kyverno/kubernetesVersion: "null"
+  kyverno/category: "Sample, EKS Best Practices in CEL"
+  kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod, Secret"
-digest: 79f059e745a1bd214bb91455e985bbb474f4b40590e871b6babaf60a9672b3c9
+digest: 7a8d2c6c16cc66744f7e274ed11d0065c1dc408644746c43effc25fb4261bb01
+createdAt: "2024-03-24T16:54:45Z"

other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml

@@ -3,17 +3,18 @@ kind: ClusterPolicy
 metadata:
   name: secrets-not-from-env-vars
   annotations:
-    policies.kyverno.io/title: Disallow Secrets from Env Vars
-    policies.kyverno.io/category: Sample, EKS Best Practices
+    policies.kyverno.io/title: Disallow Secrets from Env Vars in CEL expressions
+    policies.kyverno.io/category: Sample, EKS Best Practices in CEL 
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Pod, Secret
-    kyverno.io/kyverno-version: 1.6.0
+    kyverno.io/kyverno-version: 1.11.0
+    kyverno.io/kubernetes-version: "1.26-1.27"
     policies.kyverno.io/description: >-
       Secrets used as environment variables containing sensitive information may, if not carefully controlled, 
       be printed in log output which could be visible to unauthorized people and captured in forwarding
       applications. This policy disallows using Secrets as environment variables.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: secrets-not-from-env-vars
@@ -23,25 +24,10 @@ spec:
           kinds:
           - Pod
     validate:
-      message: "Secrets must be mounted as volumes, not as environment variables."
-      pattern:
-        spec:
-          containers:
-          - name: "*"
-            =(env):
-            - =(valueFrom):
-                X(secretKeyRef): "null"
-  - name: secrets-not-from-envfrom
-    match:
-      any:
-      - resources:
-          kinds:
-          - Pod
-    validate:
-      message: "Secrets must not come from envFrom statements."
-      pattern:
-        spec:
-          containers:
-          - name: "*"
-            =(envFrom):
-            - X(secretRef): "null"
+      cel:
+        expressions:
+          - expression: "object.spec.containers.all(container, !has(container.env) || container.env.all(env, !has(env.valueFrom) || !has(env.valueFrom.secretKeyRef)))"
+            message: "Secrets must be mounted as volumes, not as environment variables."
+          - expression: "object.spec.containers.all(container, !has(container.envFrom) || container.envFrom.all(envFrom, !has(envFrom.secretRef)))"
+            message: "Secrets must not come from envFrom statements."
+