Disable Automount SA Token
Description
A new ServiceAccount called default
is created whenever a new Namespace is created. Pods spawned in that Namespace, unless otherwise set, will be assigned this ServiceAccount. This policy mutates any new default
ServiceAccounts to disable auto-mounting of the token into Pods obviating the need to do so individually.
Kyverno Policy
Refer to the Nirmata curated policies - disable-automount-sa-token.
Resource Example
Below is an example of a ServiceAccount
resource enforcing this policy where automountServiceAccountToken
is set to false
.
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: false
metadata:
name: default
namespace: disable-satokenmount-ns