All Policies

Restrict Pod Controller ServiceAccount Updates

ServiceAccounts which have the ability to edit/patch workloads which they created may potentially use that privilege to update to a different ServiceAccount with higher privileges. This policy, intended to be run in `enforce` mode, blocks updates to Pod controllers if those updates modify the serviceAccountName field. Updates to Pods directly for this field are not possible as it is immutable once set.

Policy Definition

/other/restrict-pod-controller-serviceaccount-updates/restrict-pod-controller-serviceaccount-updates.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-pod-controller-serviceaccount-updates
 5  annotations:
 6    policies.kyverno.io/title: Restrict Pod Controller ServiceAccount Updates
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: Medium
 9    policies.kyverno.io/subject: Pod
10    kyverno.io/kyverno-version: 1.9.0
11    kyverno.io/kubernetes-version: "1.24"
12    policies.kyverno.io/description: >-
13      ServiceAccounts which have the ability to edit/patch workloads which they created
14      may potentially use that privilege to update to a different ServiceAccount with higher
15      privileges. This policy, intended to be run in `enforce` mode, blocks updates
16      to Pod controllers if those updates modify the serviceAccountName field. Updates to Pods
17      directly for this field are not possible as it is immutable once set.      
18spec:
19  validationFailureAction: audit
20  background: true
21  rules:
22    - name: block-serviceaccount-updates
23      match:
24        any:
25        - resources:
26            kinds:
27            - DaemonSet
28            - Deployment
29            - Job
30            - StatefulSet
31            - ReplicaSet
32            - ReplicationController
33      preconditions:
34        all:
35        - key: "{{ request.operation }}"
36          operator: Equals
37          value: UPDATE
38      validate:
39        message: >-
40          The serviceAccountName field may not be changed once created.          
41        deny:
42          conditions:
43            all:
44            - key: "{{ request.object.spec.template.spec.serviceAccountName || 'empty'}}"
45              operator: NotEquals
46              value: "{{ request.oldObject.spec.template.spec.serviceAccountName || 'empty'}}"
47    - name: block-serviceaccount-updates-cronjob
48      match:
49        any:
50        - resources:
51            kinds:
52            - CronJob
53      preconditions:
54        all:
55        - key: "{{ request.operation }}"
56          operator: Equals
57          value: UPDATE
58      validate:
59        message: >-
60          The serviceAccountName field may not be changed once created.          
61        deny:
62          conditions:
63            all:
64            - key: "{{ request.object.spec.jobTemplate.spec.template.spec.serviceAccountName || 'empty'}}"
65              operator: NotEquals
66              value: "{{ request.oldObject.spec.jobTemplate.spec.template.spec.serviceAccountName || 'empty'}}"