Skip to main content

KA-X004: Secret reference not found

Info Cross-Resource

Why This Matters

A workload references a Secret that is not defined in the manifest. If the Secret does not exist at deploy time, the Pod will fail to start with a CreateContainerConfigError. This may be expected if the Secret is created out-of-band (e.g., sealed-secrets, external-secrets).

How to Fix

Add the referenced Secret to the manifest

Before (incorrect)

volumes:
  - name: creds
    secret:
      secretName: db-creds

After (correct)

volumes:
  - name: creds
    secret:
      secretName: db-creds
---
apiVersion: v1
kind: Secret
metadata:
  name: db-creds
data:
  password: cGFzc3dvcmQ=

Rule Details

Rule Code
KA-X004
Severity
Info
Category
Cross-Resource

Related Rules

KA-X001 Warning

Service selector matches no Pod template
KA-X002 Warning

Ingress references undefined Service
KA-X006 Warning

ServiceAccount reference not found
KA-X008 Warning

HPA targets non-existent resource
KA-X003 Info

ConfigMap reference not found