Restrict Automount SA Token

Description

Kubernetes automatically mounts ServiceAccount credentials in each Pod. The ServiceAccount may be assigned roles allowing Pods to access API resources. Blocking this ability is an extension of the least privilege best practice and should be followed if Pods do not need to speak to the API server to function. This policy ensures that mounting of these ServiceAccount tokens is blocked.

Kyverno Policy

Refer to the Nirmata curated policies - restrict-automount-sa-token.

Resource Example

Below is an example of a Deployment resource that has automountServiceAccountToken set to false.

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: busybox
  name: gooddeployment01
spec:
  replicas: 1
  selector:
    matchLabels:
      app: busybox
  strategy: {}
  template:
    metadata:
      labels:
        app: busybox
    spec:
      automountServiceAccountToken: false
      containers:
      - name: busybox
        image: busybox:1.35

Below is another example of a CronJob resource enforcing this policy.

apiVersion: batch/v1
kind: CronJob
metadata:
  labels:
  name: goodcronjob01
spec:
  schedule: "* * * * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: busybox
            image: busybox:1.35
          automountServiceAccountToken: false
          restartPolicy: OnFailure