My namespace contains multiple secrets and pods. The secrets are selectively mounted on pods as volumes using the deployment spec. Is it possible to deny specific secrets from being mounted as volumes in certain pods. I have tested RBAC and it prevents pods from accessing secrets over api. Is there a similar mechanism for mounted secrets considering that there is a security risk in allowing all secrets to be mounted in pods in the same namespace.
There is no easy way to do that because the secret is mounted by kubelet. But you could have a validating web-hook configured to intercept all pod creation request coming to Kubernetes API Server. You will write code in the web-hook to validate and only allow the pod creation request if pod spec does not have any invalid or unwanted secrets otherwise it rejects the pod creation request.
Another option would be to get the pod creation request validated by Open Policy Agent where you can write policy to implement similar validation.