k8s-unused-secret-detector

Detect unused secrets

$ k8s-unused-secret-detector

$ k8s-unused-secret-detector [[-n|--namespace]] [namespace]

$ k8s-unused-secret-detector [[-n|--namespace]] [namespace] | kubectl delete secret [[-n|--namespace]] [namespace]

k8s-unused-secret-detector

The k8s-unused-secret-detector is a command-line tool designed to identify Kubernetes Secrets within a cluster that are not actively being utilized by any Pods or Deployments.
It automates the process of analyzing the Kubernetes resource definitions to find Secrets and their references within the cluster. The utility searches for all Secrets in all namespaces and then determines if those secrets are actually being used by any resources like pods, deployments, statefulsets, and daemonsets.
The command helps Kubernetes administrators and developers optimize resource utilization by removing unused secrets, enhancing security by reducing the attack surface and improving compliance. By identifying and removing unused Secrets, organizations can reduce the risk of accidental exposure or misuse of sensitive data.

The tool might not detect secrets used via external controllers or custom operators if they don't follow standard Kubernetes referencing mechanisms. The detector relies on analyzing YAML/JSON definitions and will not be able to identify secrets used through more obscure methods.

Running the command without any options will analyze all secrets in all namespaces and output a list of unused secrets.

Ensure the account running the command has the necessary permissions to list and get secrets and pods across all namespaces.