mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity
kyverno/samples/DisallowAutomountSACredentials.md
Jim Bugwadia 9bbcbb29af reorganize samples
2019-10-23 14:45:27 -07:00

752 B
Raw Blame History

Disallow automount of Service Account credentials

Kubernetes automounts default service account credentials in each pod. To restrict access, opt out of automounting credentials by setting automountServiceAccountToken to false.

Policy YAML

disallow_automountingapicred.yaml

apiVersion : kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
  name: validate-disallow-automoutingapicred
spec:
  rules:
  - name: disallow-automoutingapicred
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Deny automounting API credentials"
      pattern:
        spec:
          =(serviceAccountName): "*"
          automountServiceAccountToken: false