diff --git a/examples/best_practices/README.md b/examples/best_practices/README.md
index 94e2d67b63..b79c0fc2cd 100644
--- a/examples/best_practices/README.md
+++ b/examples/best_practices/README.md
@@ -16,6 +16,6 @@
 | Disallow latest tag and pull IfNotPresent      | [policy_validate_image_latest_ifnotpresent_deny.yaml](policy_validate_image_latest_ifnotpresent_deny.yaml)                                                   |
 | Require a namespace (disallow default)         | [policy_validate_default_namespace.yaml](policy_validate_default_namespace.yaml)                                                                     |
 | Disallow use of kube-system namespace          |                                                                       |
-| Prevent mounting of service account secret     |                                                                       |
+| Prevent mounting of default service account    | [policy_validate_disallow_default_serviceaccount.yaml](policy_validate_disallow_default_serviceaccount.yaml)                                                                      |
 | Require a default network policy               | [policy_validate_default_network_policy.yaml](policy_validate_default_network_policy.yaml)                                                                      |
 | Require namespace quotas and limit ranges      | [policy_validate_namespace_quota.yaml](policy_validate_namespace_quota.yaml)                                                                      |
diff --git a/examples/best_practices/policy_validate_disallow_default_serviceaccount.yaml b/examples/best_practices/policy_validate_disallow_default_serviceaccount.yaml
new file mode 100644
index 0000000000..bf7cc2b884
--- /dev/null
+++ b/examples/best_practices/policy_validate_disallow_default_serviceaccount.yaml
@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: validate-disallow-default-serviceaccount
+spec:
+  rules:
+  - name: prevent-mounting-default-serviceaccount
+    exclude:
+      resources:
+        namespaces: 
+        - kube-system
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Prevent mounting of default service account."
+      pattern:
+        spec:
+          serviceAccountName: "!default"
\ No newline at end of file
diff --git a/examples/best_practices/resources/resource_validate_disallow_default_serviceaccount.yaml b/examples/best_practices/resources/resource_validate_disallow_default_serviceaccount.yaml
new file mode 100644
index 0000000000..00897c4a36
--- /dev/null
+++ b/examples/best_practices/resources/resource_validate_disallow_default_serviceaccount.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-with-default-sa
+  labels:
+    app: pod-with-default-sa
+spec: 
+  serviceAccountName: default
+  containers:
+  - name: nginx
+    image: nginx
\ No newline at end of file
diff --git a/pkg/policy/webhookregistration.go b/pkg/policy/webhookregistration.go
index 4883cfb8de..792581d24f 100644
--- a/pkg/policy/webhookregistration.go
+++ b/pkg/policy/webhookregistration.go
@@ -63,7 +63,6 @@ func hasMutateOrValidatePolicies(policies []*kyverno.ClusterPolicy) bool {
 func hasMutateOrValidate(policy kyverno.ClusterPolicy) bool {
 	for _, rule := range policy.Spec.Rules {
 		if !reflect.DeepEqual(rule.Mutation, kyverno.Mutation{}) || !reflect.DeepEqual(rule.Validation, kyverno.Validation{}) {
-			glog.Infoln(rule.Name)
 			return true
 		}
 	}
diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go
index cbc06f85ad..71491a0faa 100644
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@@ -107,3 +107,7 @@ func Test_validate_namespace_quota(t *testing.T) {
 func Test_validate_disallow_node_port(t *testing.T) {
 	testScenario(t, "test/scenarios/test/scenario_validate_disallow_node_port.yaml")
 }
+
+func Test_validate_disallow_default_serviceaccount(t *testing.T) {
+	testScenario(t, "test/scenarios/test/scenario_validate_disallow_default_serviceaccount.yaml")
+}
diff --git a/test/scenarios/test/scenario_validate_disallow_default_serviceaccount.yaml b/test/scenarios/test/scenario_validate_disallow_default_serviceaccount.yaml
new file mode 100644
index 0000000000..41729d8222
--- /dev/null
+++ b/test/scenarios/test/scenario_validate_disallow_default_serviceaccount.yaml
@@ -0,0 +1,18 @@
+# file path relative to project root
+input:
+  policy: examples/best_practices/policy_validate_disallow_default_serviceaccount.yaml
+  resource: examples/best_practices/resources/resource_validate_disallow_default_serviceaccount.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: validate-disallow-default-serviceaccount
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: pod-with-default-sa
+      rules:
+        - name: prevent-mounting-default-serviceaccount
+          type: Validation
+          message: Validation rule 'prevent-mounting-default-serviceaccount' failed at '/spec/serviceAccountName/' for resource Pod//pod-with-default-sa. Prevent mounting of default service account.
+          success: false
\ No newline at end of file