From c986ac9734dc5c34e7954386e37cc0f44c60190a Mon Sep 17 00:00:00 2001 From: Vyom-Yadav Date: Fri, 31 Mar 2023 11:09:53 +0530 Subject: [PATCH] Modify policy template schema for Kyverno policies and add SA token policy Signed-off-by: Vyom-Yadav --- ...verno-automount-service-account-token.yaml | 25 +++++++++++++++++++ generic/kyverno/metadata.yaml | 15 +++++++++++ 2 files changed, 40 insertions(+) create mode 100644 generic/kyverno/kyverno-automount-service-account-token.yaml create mode 100644 generic/kyverno/metadata.yaml diff --git a/generic/kyverno/kyverno-automount-service-account-token.yaml b/generic/kyverno/kyverno-automount-service-account-token.yaml new file mode 100644 index 00000000..fa54f80c --- /dev/null +++ b/generic/kyverno/kyverno-automount-service-account-token.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: restrict-automount-sa-token + namespace: default +spec: + validationFailureAction: Audit + background: true + rules: + - name: validate-automountServiceAccountToken + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: NotEquals + value: DELETE + validate: + message: "Auto-mounting of Service Account tokens is not allowed." + pattern: + spec: + automountServiceAccountToken: "false" diff --git a/generic/kyverno/metadata.yaml b/generic/kyverno/metadata.yaml new file mode 100644 index 00000000..6486db11 --- /dev/null +++ b/generic/kyverno/metadata.yaml @@ -0,0 +1,15 @@ +version: v0.1.9 +policyRules: + - name: restrict-automount-sa-token + description: + refs: + - name: Restrict Mounting Service Account Token + url: + - https://kyverno.io/policies/other/restrict_automount_sa_token/restrict_automount_sa_token/ + tldr: Don't mount service account token when it is not needed + detailed: If the Service Account Token is not used by a pod, then it should not be + automounted. Service account token provide access to the kubeapi-server which potentially + increases the surface area of attack. + kyvernoPolicyTags: + - "AUTOMOUNT_SERVICE_ACCOUNT" + yaml: kyverno-automount-service-account-token.yaml