default namespace secret — the golden source of truth — as the single place to rotate credentials.

- Embedding secret data into the policy duplicates sensitive material across policy manifests.
- Every rotation would require updating the policy, increasing risk and administrative overhead.
- The data source is best when the policy itself should be the canonical resource definition.
For the data source you include a
data (or inline manifest) under generate. For the clone source you declare a clone block that references the source namespace and name.
Example: clone a shared image pull secret to every new Namespace
This ClusterPolicy clones the regcred Secret from the default namespace into each new Namespace. The rule matches Namespace creation; generate declares the downstream Secret and clone points to the golden source. synchronize: true keeps downstream clones in sync with the source.
synchronize: true, Kyverno detects updates to the golden secret in default and propagates them to every cloned Secret across the cluster. Alice manages only the master secret; Kyverno manages distributed copies.
Best practices and security
When cloning Secrets across namespaces, ensure proper RBAC and policy scoping so only authorized controllers and users can view or create clones. Consider encryption-at-rest,
imagePullSecrets usage patterns, and tools like Sealed Secrets for additional protection. See the Kyverno documentation for generate/clone details: https://kyverno.io/docs/writing-policies/generate/synchronize flag controls how Kyverno reconciles differences between the source, downstream clones, and trigger resources. Below is a concise summary; refer to your cluster policy needs when choosing true or false.

Note:
synchronize: true can delete downstream resources if the source is deleted or if the trigger no longer matches. Use caution to avoid accidental data loss and verify the source lifecycle before enabling synchronization.- Use label selectors and
matchcriteria to limit which Namespaces or resources receive clones. - Monitor Kyverno logs and events to verify clones are created and synced as expected.
- Consider combining generate/clone rules with admission controls to ensure workloads reference the correct
imagePullSecrets.
- Kyverno generate rules: https://kyverno.io/docs/writing-policies/generate/
- Kyverno documentation: https://kyverno.io
- Sealed Secrets (Bitnami): https://github.com/bitnami-labs/sealed-secrets
- Kubernetes Secrets: https://kubernetes.io/docs/concepts/configuration/secret/
- Use the data source when the policy should be the canonical manifest and you want to author the resource inside the policy.
- Use the clone source when a resource already exists in-cluster and you want Kyverno to replicate it elsewhere.
synchronize: trueensures downstream clones automatically follow source updates and are deleted if the source or trigger disappears.- Be mindful of security controls, RBAC, and the lifecycle of the golden secret when cloning Secrets across namespaces.
cloneList allows cloning an entire list of resources with a single rule.