All Policies
Restrict Pod Controller ServiceAccount Updates
ServiceAccounts which have the ability to edit/patch workloads which they created may potentially use that privilege to update to a different ServiceAccount with higher privileges. This policy, intended to be run in `enforce` mode, blocks updates to Pod controllers if those updates modify the serviceAccountName field. Updates to Pods directly for this field are not possible as it is immutable once set.
Policy Definition
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: restrict-pod-controller-serviceaccount-updates
5 annotations:
6 policies.kyverno.io/title: Restrict Pod Controller ServiceAccount Updates
7 policies.kyverno.io/category: Other
8 policies.kyverno.io/severity: Medium
9 policies.kyverno.io/subject: Pod
10 kyverno.io/kyverno-version: 1.9.0
11 kyverno.io/kubernetes-version: "1.24"
12 policies.kyverno.io/description: >-
13 ServiceAccounts which have the ability to edit/patch workloads which they created
14 may potentially use that privilege to update to a different ServiceAccount with higher
15 privileges. This policy, intended to be run in `enforce` mode, blocks updates
16 to Pod controllers if those updates modify the serviceAccountName field. Updates to Pods
17 directly for this field are not possible as it is immutable once set.
18spec:
19 validationFailureAction: audit
20 background: true
21 rules:
22 - name: block-serviceaccount-updates
23 match:
24 any:
25 - resources:
26 kinds:
27 - DaemonSet
28 - Deployment
29 - Job
30 - StatefulSet
31 - ReplicaSet
32 - ReplicationController
33 preconditions:
34 all:
35 - key: "{{ request.operation }}"
36 operator: Equals
37 value: UPDATE
38 validate:
39 message: >-
40 The serviceAccountName field may not be changed once created.
41 deny:
42 conditions:
43 all:
44 - key: "{{ request.object.spec.template.spec.serviceAccountName || 'empty'}}"
45 operator: NotEquals
46 value: "{{ request.oldObject.spec.template.spec.serviceAccountName || 'empty'}}"
47 - name: block-serviceaccount-updates-cronjob
48 match:
49 any:
50 - resources:
51 kinds:
52 - CronJob
53 preconditions:
54 all:
55 - key: "{{ request.operation }}"
56 operator: Equals
57 value: UPDATE
58 validate:
59 message: >-
60 The serviceAccountName field may not be changed once created.
61 deny:
62 conditions:
63 all:
64 - key: "{{ request.object.spec.jobTemplate.spec.template.spec.serviceAccountName || 'empty'}}"
65 operator: NotEquals
66 value: "{{ request.oldObject.spec.jobTemplate.spec.template.spec.serviceAccountName || 'empty'}}"