mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-15 17:51:20 +00:00
27 lines
831 B
YAML
27 lines
831 B
YAML
---
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
annotations:
|
|
policies.kyverno.io/category: Security
|
|
policies.kyverno.io/description: Kubernetes automatically mounts service account
|
|
credentials in each pod. The service account may be assigned roles allowing
|
|
pods to access API resources. To restrict access, opt out of auto-mounting tokens
|
|
by setting automountServiceAccountToken to false.
|
|
name: restrict-automount-sa-token
|
|
spec:
|
|
admission: true
|
|
background: true
|
|
rules:
|
|
- match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Pod
|
|
name: validate-automountServiceAccountToken
|
|
validate:
|
|
message: Auto-mounting of Service Account tokens is not allowed
|
|
pattern:
|
|
spec:
|
|
automountServiceAccountToken: false
|
|
validationFailureAction: Audit
|