mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-09 17:37:12 +00:00
5a0ce6bb67
* chore: bump chainsaw Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * more template use Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * v0.2.10 Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * go mod Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
37 lines
906 B
YAML
37 lines
906 B
YAML
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: disallow-default-sa
|
|
status:
|
|
autogen:
|
|
rules:
|
|
- match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Deployment
|
|
name: autogen-disallow-default-sa
|
|
validate:
|
|
message: default ServiceAccount should not be used
|
|
assert:
|
|
object:
|
|
spec:
|
|
template:
|
|
spec:
|
|
(serviceAccountName == 'default'): false
|
|
- match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- CronJob
|
|
name: autogen-cronjob-disallow-default-sa
|
|
validate:
|
|
message: default ServiceAccount should not be used
|
|
assert:
|
|
object:
|
|
spec:
|
|
jobTemplate:
|
|
spec:
|
|
template:
|
|
spec:
|
|
(serviceAccountName == 'default'): false
|