Skip to content

Commit

Permalink
Merge pull request #1037 from Vyom-Yadav/tempRelease
Browse files Browse the repository at this point in the history
Modify policy template schema for Kyverno policies
  • Loading branch information
nyrahul authored Apr 5, 2023
2 parents 9391b57 + c986ac9 commit 33d4c08
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 0 deletions.
25 changes: 25 additions & 0 deletions generic/kyverno/kyverno-automount-service-account-token.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: restrict-automount-sa-token
namespace: default
spec:
validationFailureAction: Audit
background: true
rules:
- name: validate-automountServiceAccountToken
match:
any:
- resources:
kinds:
- Pod
preconditions:
all:
- key: "{{ request.operation || 'BACKGROUND' }}"
operator: NotEquals
value: DELETE
validate:
message: "Auto-mounting of Service Account tokens is not allowed."
pattern:
spec:
automountServiceAccountToken: "false"
15 changes: 15 additions & 0 deletions generic/kyverno/metadata.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
version: v0.1.9
policyRules:
- name: restrict-automount-sa-token
description:
refs:
- name: Restrict Mounting Service Account Token
url:
- https://kyverno.io/policies/other/restrict_automount_sa_token/restrict_automount_sa_token/
tldr: Don't mount service account token when it is not needed
detailed: If the Service Account Token is not used by a pod, then it should not be
automounted. Service account token provide access to the kubeapi-server which potentially
increases the surface area of attack.
kyvernoPolicyTags:
- "AUTOMOUNT_SERVICE_ACCOUNT"
yaml: kyverno-automount-service-account-token.yaml

0 comments on commit 33d4c08

Please sign in to comment.