update restrict_automount_sa_token

2025-04-15 16:56:56 +00:00 · 2019-11-10 21:57:20 -08:00 · 2019-11-10 21:57:20 -08:00 · dd4d091c23
commit dd4d091c23
parent 5b2fd96131
6 changed files with 56 additions and 57 deletions
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@ -36,8 +36,8 @@ func Test_validate_require_image_tag_not_latest_pass(t *testing.T) {
 	testScenario(t, "test/scenarios/samples/best_practices/disallow_latest_tag_pass.yaml")
 }

-func Test_validate_disallow_automoutingapicred_pass(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_automountingapicred.yaml")
+func Test_validate_restrict_automount_sa_token_pass(t *testing.T) {
+	testScenario(t, "test/scenarios/samples/best_practices/restrict_automount_sa_token.yaml")
 }

 func Test_validate_disallow_default_namespace(t *testing.T) {
--- a/samples/DisallowAutomountSACredentials.md
+++ b/samples/DisallowAutomountSACredentials.md
@ -1,30 +0,0 @@
-# Disallow automount of Service Account credentials
-
-Kubernetes automounts default service account credentials in each pod. To restrict access, opt out of automounting credentials by setting `automountServiceAccountToken` to `false`.
-
-## Policy YAML 
-
-[disallow_automountingapicred.yaml](best_practices/disallow_automountingapicred.yaml) 
-
-````yaml
-apiVersion : kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: validate-disallow-automoutingapicred
-spec:
-  rules:
-  - name: disallow-automoutingapicred
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "Deny automounting API credentials"
-      pattern:
-        spec:
-          =(serviceAccountName): "*"
-          automountServiceAccountToken: false
-````
-
-
-
--- a/samples/RestrictAutomountSAToken.md
+++ b/samples/RestrictAutomountSAToken.md
@ -0,0 +1,29 @@
+# Restrict auto-mount of Service Account tokens
+
+Kubernetes automatically mounts service account credentials in each pod. The service account may be assigned roles allowing pods to access API resources. To restrict access, opt out of auto-mounting tokens by setting `automountServiceAccountToken` to `false`.
+
+## Policy YAML 
+
+[restrict_automount_sa_token.yaml](best_practices/restrict_automount_sa_token.yaml) 
+
+````yaml
+apiVersion : kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: restrict-automount-sa-token
+spec:
+  rules:
+  - name: validate-automountServiceAccountToken
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Deny automounting API credentials"
+      pattern:
+        spec:
+          automountServiceAccountToken: false
+````
+
+
+
--- a/samples/best_practices/disallow_automountingapicred.yaml
+++ b/samples/best_practices/disallow_automountingapicred.yaml
@ -1,21 +0,0 @@
-apiVersion : kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: validate-disallow-automoutingapicred
-  annotations:
-    policies.kyverno.io/category: API Server Access Control
-    policies.kyverno.io/description: Kubernetes automounts default service account credentials in each pod. 
-      To restrict access, opt out of automounting credentials by setting 'automountServiceAccountToken' to 'false'.
-spec:
-  rules:
-  - name: disallow-automoutingapicred
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "Deny automounting API credentials"
-      pattern:
-        spec:
-          =(serviceAccountName): "*"
-          automountServiceAccountToken: false
--- a/samples/best_practices/restrict_automount_sa_token.yaml
+++ b/samples/best_practices/restrict_automount_sa_token.yaml
@ -0,0 +1,22 @@
+apiVersion : kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: restrict-automount-sa-token
+  annotations:
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/description: Kubernetes automatically mounts service account 
+      credentials in each pod. The service account may be assigned roles allowing pods 
+      to access API resources. To restrict access, opt out of auto-mounting tokens by 
+      setting automountServiceAccountToken to false.
+spec:
+  rules:
+  - name: validate-automountServiceAccountToken
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Auto-mounting of Service Account tokens is not allowed"
+      pattern:
+        spec:
+          automountServiceAccountToken: false
--- a/test/scenarios/samples/best_practices/scenario_validate_disallow_automountingapicred.yaml
+++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_automountingapicred.yaml
@ -1,18 +1,17 @@
 # file path relative to project root
 input:
-  policy: samples/best_practices/disallow_automountingapicred.yaml
+  policy: samples/best_practices/restrict_automount_sa_token.yaml
  resource: test/resources/disallow_automountingapicred.yaml
 expected:
  validation:
    policyresponse:
-      policy: validate-disallow-automoutingapicred
+      policy: restrict-automount-sa-token
      resource:
        kind: Pod
        apiVersion: v1
        namespace: ''
        name: myapp-pod
      rules:
-        - name: disallow-automoutingapicred
+        - name: validate-automountServiceAccountToken
          type: Validation
-          message: Validation rule 'disallow-automoutingapicred' succeeded.
          success: true