---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    policies.kyverno.io/category: Security
    policies.kyverno.io/description: Kubernetes automatically mounts service account
      credentials in each pod. The service account may be assigned roles allowing
      pods to access API resources. To restrict access, opt out of auto-mounting tokens
      by setting automountServiceAccountToken to false.
  name: restrict-automount-sa-token
spec:
  admission: true
  background: true
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Pod
    name: validate-automountServiceAccountToken
    validate:
      message: Auto-mounting of Service Account tokens is not allowed
      pattern:
        spec:
          automountServiceAccountToken: false
  validationFailureAction: Audit