apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-default-sa
spec:
  validationFailureAction: Audit
  rules:
  - match:
      any:
        - resources:
            kinds:
            - Pod
    name: disallow-default-sa
    validate:
      message: default ServiceAccount should not be used
      assert:
        object:
          spec:
            (serviceAccountName == 'default'): false
status:
  conditions:
  - reason: Succeeded
    status: "True"
    type: Ready
  autogen:
    rules:
    - match:
        any:
        - resources:
            kinds:
            - Deployment
      name: autogen-disallow-default-sa
      validate:
        message: default ServiceAccount should not be used
        assert:
          object:
            spec:
              template:
                spec:
                  (serviceAccountName == 'default'): false
    - match:
        any:
        - resources:
            kinds:
            - CronJob
      name: autogen-cronjob-disallow-default-sa
      validate:
        message: default ServiceAccount should not be used
        assert:
          object:
            spec:
              jobTemplate:
                spec:
                  template:
                    spec:
                      (serviceAccountName == 'default'): false