All Policies
Restrict Auto-Mount of Service Account Tokens
Kubernetes automatically mounts ServiceAccount credentials in each Pod. The ServiceAccount may be assigned roles allowing Pods to access API resources. Blocking this ability is an extension of the least privilege best practice and should be followed if Pods do not need to speak to the API server to function. This policy ensures that mounting of these ServiceAccount tokens is blocked.
Policy Definition
/other/restrict-automount-sa-token/restrict-automount-sa-token.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: restrict-automount-sa-token
5 annotations:
6 policies.kyverno.io/title: Restrict Auto-Mount of Service Account Tokens
7 policies.kyverno.io/category: Sample, EKS Best Practices
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Pod,ServiceAccount
10 policies.kyverno.io/minversion: 1.6.0
11 policies.kyverno.io/description: >-
12 Kubernetes automatically mounts ServiceAccount credentials in each Pod.
13 The ServiceAccount may be assigned roles allowing Pods to access API resources.
14 Blocking this ability is an extension of the least privilege best practice and should
15 be followed if Pods do not need to speak to the API server to function.
16 This policy ensures that mounting of these ServiceAccount tokens is blocked.
17spec:
18 validationFailureAction: audit
19 background: true
20 rules:
21 - name: validate-automountServiceAccountToken
22 match:
23 any:
24 - resources:
25 kinds:
26 - Pod
27 preconditions:
28 all:
29 - key: "{{ request.\"object\".metadata.labels.\"app.kubernetes.io/part-of\" || '' }}"
30 operator: NotEquals
31 value: policy-reporter
32 validate:
33 message: "Auto-mounting of Service Account tokens is not allowed."
34 pattern:
35 spec:
36 automountServiceAccountToken: "false"