From 24f3b8ac969abcd034281c6cf12a68869f92ca93 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Thu, 10 Oct 2019 12:29:48 -0700
Subject: [PATCH] disallow automountServiceAccountToken

---
 examples/best_practices/README.md             |  1 +
 pkg/testrunner/testrunner_test.go             |  4 ++--
 samples/README.md                             |  7 +++++++
 .../disallow_automountingapicred.yaml         | 17 +++++++++++++++++
 .../disallow_automountingapicred.yaml         | 12 ++++++++++++
 ...utate_pod_disable_automountingapicred.yaml | 19 -------------------
 ...validate_disallow_automountingapicred.yaml | 18 ++++++++++++++++++
 7 files changed, 57 insertions(+), 21 deletions(-)
 create mode 100644 samples/best_practices/disallow_automountingapicred.yaml
 create mode 100644 test/manifest/disallow_automountingapicred.yaml
 delete mode 100644 test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml
 create mode 100644 test/scenarios/test/scenario_validate_disallow_automountingapicred.yaml

diff --git a/examples/best_practices/README.md b/examples/best_practices/README.md
index cd50bfd357..5c70fafcc5 100644
--- a/examples/best_practices/README.md
+++ b/examples/best_practices/README.md
@@ -3,6 +3,7 @@
 | Best practice                                  | Policy                             |             scenario|
 |------------------------------------------------|------------------------------------|---------------------|
 | Run as non-root user                           | [policy_validate_deny_runasrootuser.yaml](policy_validate_deny_runasrootuser.yaml)                  |     best_practices            |
+| Disallow automount api credentials                           | []()                  |     best_practices            |
 | Disallow privileged and privilege escalation   | [policy_validate_container_disallow_priviledgedprivelegesecalation.yaml](policy_validate_container_disallow_priviledgedprivelegesecalation.yaml)             |      best_practices            |
 | Disallow use of host networking and ports      |  [policy_validate_host_network_port.yaml](policy_validate_host_network_port.yaml)             |        best_practices            |
 | Disallow use of host filesystem                |  [policy_validate_host_path.yaml](policy_validate_host_path.yaml)                                                                                            |
diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go
index 21409ca3ab..971e9340e3 100644
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@@ -76,8 +76,8 @@ func Test_validate_require_image_tag_not_latest_pass(t *testing.T) {
 	testScenario(t, "test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_pass.yaml")
 }
 
-func Test_mutate_pod_disable_automoutingapicred_pass(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml")
+func Test_validate_disallow_automoutingapicred_pass(t *testing.T) {
+	testScenario(t, "test/scenarios/test/scenario_validate_disallow_automountingapicred.yaml")
 }
 
 func Test_validate_disallow_default_namespace(t *testing.T) {
diff --git a/samples/README.md b/samples/README.md
index 515c3a092d..7b34b05c5a 100644
--- a/samples/README.md
+++ b/samples/README.md
@@ -19,6 +19,13 @@ By default, processes in a container run as a root user (uid 0). To prevent comp
 * [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
 
 
+## Disallow automounte API credentials
+
+One can access the API from inside a pod using automatically mounted service account credentials by default. To restrict access, opt out of automounting API credentials for any pod by setting `automountServiceAccountToken` to `false`.
+
+***Policy YAML***: [disallow_automountingapicred.yaml](best_practices/disallow_automountingapicred.yaml) 
+
+
 ## Disallow use of default namespace
 
 Namespaces are a way to divide cluster resources between multiple users. When multiple users or teams are sharing a single cluster, it is recommended to isolate different workloads and aviod using default namespace.
diff --git a/samples/best_practices/disallow_automountingapicred.yaml b/samples/best_practices/disallow_automountingapicred.yaml
new file mode 100644
index 0000000000..4fc070d8b4
--- /dev/null
+++ b/samples/best_practices/disallow_automountingapicred.yaml
@@ -0,0 +1,17 @@
+apiVersion : kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: validate-disallow-automoutingapicred
+spec:
+  rules:
+  - name: disallow-automoutingapicred
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Deny automounting API credentials"
+      pattern:
+        spec:
+          =(serviceAccountName): "*"
+          automountServiceAccountToken: false
\ No newline at end of file
diff --git a/test/manifest/disallow_automountingapicred.yaml b/test/manifest/disallow_automountingapicred.yaml
new file mode 100644
index 0000000000..301afe5493
--- /dev/null
+++ b/test/manifest/disallow_automountingapicred.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod
+  labels:
+    app: myapp
+spec: 
+  serviceAccountName: default
+  automountServiceAccountToken: false
+  containers:
+  - name: nginx
+    image: nginx
\ No newline at end of file
diff --git a/test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml b/test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml
deleted file mode 100644
index b9eaac4340..0000000000
--- a/test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-# file path relative to project root
-input:
-  policy: examples/best_practices/policy_mutate_pod_disable_automountingapicred.yaml
-  resource: examples/best_practices/resources/resource_mutate_pod_disable_automountingapicred.yaml
-expected:
-  mutation:
-    patchedresource: test/output/output_mutate_pod_disable_automoutingapicred.yaml
-    policyresponse:
-      policy: mutate-pod-disable-automoutingapicred
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: myapp-pod
-      rules:
-        - name: pod-disable-automoutingapicred
-          type: Mutation
-          message: "succesfully process overlay"
-          success: true
\ No newline at end of file
diff --git a/test/scenarios/test/scenario_validate_disallow_automountingapicred.yaml b/test/scenarios/test/scenario_validate_disallow_automountingapicred.yaml
new file mode 100644
index 0000000000..60cd4bf1c2
--- /dev/null
+++ b/test/scenarios/test/scenario_validate_disallow_automountingapicred.yaml
@@ -0,0 +1,18 @@
+# file path relative to project root
+input:
+  policy: samples/best_practices/disallow_automountingapicred.yaml
+  resource: test/manifest/disallow_automountingapicred.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: validate-disallow-automoutingapicred
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: myapp-pod
+      rules:
+        - name: disallow-automoutingapicred
+          type: Validation
+          message: Validation rule 'disallow-automoutingapicred' succesfully validated
+          success: true 
\ No newline at end of file