kyverno/test/more/restrict_automount_sa_token.yaml

apiVersion : kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-automount-sa-token
  annotations:
    policies.kyverno.io/category: Security
    policies.kyverno.io/description: Kubernetes automatically mounts service account 
      credentials in each pod. The service account may be assigned roles allowing pods 
      to access API resources. To restrict access, opt out of auto-mounting tokens by 
      setting automountServiceAccountToken to false.
spec:
  rules:
  - name: validate-automountServiceAccountToken
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Auto-mounting of Service Account tokens is not allowed"
      pattern:
        spec:
          automountServiceAccountToken: false
update api in samples/ 2019-11-13 21:56:20 +00:00			`apiVersion : kyverno.io/v1`
update restrict_automount_sa_token 2019-11-11 05:57:20 +00:00			`kind: ClusterPolicy`
			`metadata:`
			`name: restrict-automount-sa-token`
			`annotations:`
			`policies.kyverno.io/category: Security`
			`policies.kyverno.io/description: Kubernetes automatically mounts service account`
			`credentials in each pod. The service account may be assigned roles allowing pods`
			`to access API resources. To restrict access, opt out of auto-mounting tokens by`
			`setting automountServiceAccountToken to false.`
			`spec:`
			`rules:`
			`- name: validate-automountServiceAccountToken`
			`match:`
			`resources:`
			`kinds:`
			`- Pod`
			`validate:`
			`message: "Auto-mounting of Service Account tokens is not allowed"`
			`pattern:`
			`spec:`
			`automountServiceAccountToken: false`