diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go
index d1f968eb39..e5769b4aa2 100644
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@@ -36,8 +36,8 @@ func Test_validate_require_image_tag_not_latest_pass(t *testing.T) {
testScenario(t, "test/scenarios/samples/best_practices/disallow_latest_tag_pass.yaml")
}
-func Test_validate_disallow_automoutingapicred_pass(t *testing.T) {
- testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_automountingapicred.yaml")
+func Test_validate_restrict_automount_sa_token_pass(t *testing.T) {
+ testScenario(t, "test/scenarios/samples/best_practices/restrict_automount_sa_token.yaml")
}
func Test_validate_disallow_default_namespace(t *testing.T) {
diff --git a/samples/DisallowAutomountSACredentials.md b/samples/DisallowAutomountSACredentials.md
deleted file mode 100644
index a9de50a554..0000000000
--- a/samples/DisallowAutomountSACredentials.md
+++ /dev/null
@@ -1,30 +0,0 @@
-# Disallow automount of Service Account credentials
-
-Kubernetes automounts default service account credentials in each pod. To restrict access, opt out of automounting credentials by setting `automountServiceAccountToken` to `false`.
-
-## Policy YAML
-
-[disallow_automountingapicred.yaml](best_practices/disallow_automountingapicred.yaml)
-
-````yaml
-apiVersion : kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
- name: validate-disallow-automoutingapicred
-spec:
- rules:
- - name: disallow-automoutingapicred
- match:
- resources:
- kinds:
- - Pod
- validate:
- message: "Deny automounting API credentials"
- pattern:
- spec:
- =(serviceAccountName): "*"
- automountServiceAccountToken: false
-````
-
-
-
diff --git a/samples/RestrictAutomountSAToken.md b/samples/RestrictAutomountSAToken.md
new file mode 100644
index 0000000000..45211b5877
--- /dev/null
+++ b/samples/RestrictAutomountSAToken.md
@@ -0,0 +1,29 @@
+# Restrict auto-mount of Service Account tokens
+
+Kubernetes automatically mounts service account credentials in each pod. The service account may be assigned roles allowing pods to access API resources. To restrict access, opt out of auto-mounting tokens by setting `automountServiceAccountToken` to `false`.
+
+## Policy YAML
+
+[restrict_automount_sa_token.yaml](best_practices/restrict_automount_sa_token.yaml)
+
+````yaml
+apiVersion : kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+ name: restrict-automount-sa-token
+spec:
+ rules:
+ - name: validate-automountServiceAccountToken
+ match:
+ resources:
+ kinds:
+ - Pod
+ validate:
+ message: "Deny automounting API credentials"
+ pattern:
+ spec:
+ automountServiceAccountToken: false
+````
+
+
+
diff --git a/samples/best_practices/disallow_automountingapicred.yaml b/samples/best_practices/disallow_automountingapicred.yaml
deleted file mode 100644
index f66eb3912d..0000000000
--- a/samples/best_practices/disallow_automountingapicred.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-apiVersion : kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
- name: validate-disallow-automoutingapicred
- annotations:
- policies.kyverno.io/category: API Server Access Control
- policies.kyverno.io/description: Kubernetes automounts default service account credentials in each pod.
- To restrict access, opt out of automounting credentials by setting 'automountServiceAccountToken' to 'false'.
-spec:
- rules:
- - name: disallow-automoutingapicred
- match:
- resources:
- kinds:
- - Pod
- validate:
- message: "Deny automounting API credentials"
- pattern:
- spec:
- =(serviceAccountName): "*"
- automountServiceAccountToken: false
\ No newline at end of file
diff --git a/samples/best_practices/restrict_automount_sa_token.yaml b/samples/best_practices/restrict_automount_sa_token.yaml
new file mode 100644
index 0000000000..6e0d3b6123
--- /dev/null
+++ b/samples/best_practices/restrict_automount_sa_token.yaml
@@ -0,0 +1,22 @@
+apiVersion : kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+ name: restrict-automount-sa-token
+ annotations:
+ policies.kyverno.io/category: Security
+ policies.kyverno.io/description: Kubernetes automatically mounts service account
+ credentials in each pod. The service account may be assigned roles allowing pods
+ to access API resources. To restrict access, opt out of auto-mounting tokens by
+ setting automountServiceAccountToken to false.
+spec:
+ rules:
+ - name: validate-automountServiceAccountToken
+ match:
+ resources:
+ kinds:
+ - Pod
+ validate:
+ message: "Auto-mounting of Service Account tokens is not allowed"
+ pattern:
+ spec:
+ automountServiceAccountToken: false
\ No newline at end of file
diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_automountingapicred.yaml b/test/scenarios/samples/best_practices/restrict_automount_sa_token.yaml
similarity index 57%
rename from test/scenarios/samples/best_practices/scenario_validate_disallow_automountingapicred.yaml
rename to test/scenarios/samples/best_practices/restrict_automount_sa_token.yaml
index 54031d382f..ee82f8efb1 100644
--- a/test/scenarios/samples/best_practices/scenario_validate_disallow_automountingapicred.yaml
+++ b/test/scenarios/samples/best_practices/restrict_automount_sa_token.yaml
@@ -1,18 +1,17 @@
# file path relative to project root
input:
- policy: samples/best_practices/disallow_automountingapicred.yaml
+ policy: samples/best_practices/restrict_automount_sa_token.yaml
resource: test/resources/disallow_automountingapicred.yaml
expected:
validation:
policyresponse:
- policy: validate-disallow-automoutingapicred
+ policy: restrict-automount-sa-token
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: myapp-pod
rules:
- - name: disallow-automoutingapicred
+ - name: validate-automountServiceAccountToken
type: Validation
- message: Validation rule 'disallow-automoutingapicred' succeeded.
success: true
\ No newline at end of file