mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity
kyverno/samples/RestrictAutomountSAToken.md
Jim Bugwadia dd4d091c23 update restrict_automount_sa_token
2019-11-10 21:57:20 -08:00

789 B
Raw Blame History

Restrict auto-mount of Service Account tokens

Kubernetes automatically mounts service account credentials in each pod. The service account may be assigned roles allowing pods to access API resources. To restrict access, opt out of auto-mounting tokens by setting automountServiceAccountToken to false.

Policy YAML

restrict_automount_sa_token.yaml

apiVersion : kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
  name: restrict-automount-sa-token
spec:
  rules:
  - name: validate-automountServiceAccountToken
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Deny automounting API credentials"
      pattern:
        spec:
          automountServiceAccountToken: false