Disable Automount SA Token

Description

A new ServiceAccount called default is created whenever a new Namespace is created. Pods spawned in that Namespace, unless otherwise set, will be assigned this ServiceAccount. This policy mutates any new default ServiceAccounts to disable auto-mounting of the token into Pods obviating the need to do so individually.

Kyverno Policy

Refer to the Nirmata curated policies - disable-automount-sa-token.

Resource Example

Below is an example of a ServiceAccount resource enforcing this policy where automountServiceAccountToken is set to false.

apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: false
metadata:
  name: default
  namespace: disable-satokenmount-ns