Restrict Automount SA Token
Description
Kubernetes automatically mounts ServiceAccount
credentials in each Pod. The ServiceAccount
may be assigned roles allowing Pods to access API resources. Blocking this ability is an extension of the least privilege best practice and should be followed if Pods do not need to speak to the API server to function. This policy ensures that mounting of these ServiceAccount tokens is blocked.
Kyverno Policy
Refer to the Nirmata curated policies - restrict-automount-sa-token.
Resource Example
Below is an example of a Deployment
resource that has automountServiceAccountToken
set to false
.
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: busybox
name: gooddeployment01
spec:
replicas: 1
selector:
matchLabels:
app: busybox
strategy: {}
template:
metadata:
labels:
app: busybox
spec:
automountServiceAccountToken: false
containers:
- name: busybox
image: busybox:1.35
Below is another example of a CronJob
resource enforcing this policy.
apiVersion: batch/v1
kind: CronJob
metadata:
labels:
name: goodcronjob01
spec:
schedule: "* * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: busybox
image: busybox:1.35
automountServiceAccountToken: false
restartPolicy: OnFailure