LinuxCommandLibrary

k8s-unused-secret-detector

Find unused Kubernetes secrets in your cluster

TLDR

Detect unused secrets

$ k8s-unused-secret-detector
copy

Detect unused secrets in a specific namespace
$ k8s-unused-secret-detector [[-n|--namespace]] [namespace]
copy

Delete unused secrets in a specific namespace
$ k8s-unused-secret-detector [[-n|--namespace]] [namespace] | kubectl delete secret [[-n|--namespace]] [namespace]
copy

SYNOPSIS

k8s-unused-secret-detector

DESCRIPTION

The k8s-unused-secret-detector is a command-line tool designed to identify Kubernetes Secrets within a cluster that are not actively being utilized by any Pods or Deployments.
It automates the process of analyzing the Kubernetes resource definitions to find Secrets and their references within the cluster. The utility searches for all Secrets in all namespaces and then determines if those secrets are actually being used by any resources like pods, deployments, statefulsets, and daemonsets.
The command helps Kubernetes administrators and developers optimize resource utilization by removing unused secrets, enhancing security by reducing the attack surface and improving compliance. By identifying and removing unused Secrets, organizations can reduce the risk of accidental exposure or misuse of sensitive data.

CAVEATS

The tool might not detect secrets used via external controllers or custom operators if they don't follow standard Kubernetes referencing mechanisms. The detector relies on analyzing YAML/JSON definitions and will not be able to identify secrets used through more obscure methods.

EXAMPLE USAGE

Running the command without any options will analyze all secrets in all namespaces and output a list of unused secrets.

SECURITY CONSIDERATIONS

Ensure the account running the command has the necessary permissions to list and get secrets and pods across all namespaces.

Copied to clipboard