All Policies
Deny Secret Service Account Token Type in CEL expressions
Before version 1.24, Kubernetes automatically generated Secret-based tokens for ServiceAccounts. When creating a Secret, you can specify its type using the type field of the Secret resource . The type kubernetes.io/service-account-token is used for legacy ServiceAccount tokens . These legacy Tokens can be of security concern and should be audited.
Policy Definition
/other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: deny-secret-service-account-token-type
5 annotations:
6 policies.kyverno.io/title: Deny Secret Service Account Token Type in CEL expressions
7 policies.kyverno.io/category: Security in CEL
8 kyverno.io/kubernetes-version: "1.26-1.27"
9 kyverno.io/kyverno-version: 1.11.0
10 policies.kyverno.io/severity: medium
11 policies.kyverno.io/subject: Secret, ServiceAccount
12 policies.kyverno.io/description: >-
13 Before version 1.24, Kubernetes automatically generated Secret-based tokens
14 for ServiceAccounts. When creating a Secret, you can specify its type using the
15 type field of the Secret resource . The type kubernetes.io/service-account-token
16 is used for legacy ServiceAccount tokens . These legacy Tokens can
17 be of security concern and should be audited.
18spec:
19 validationFailureAction: Audit
20 background: true
21 rules:
22 - name: deny-secret-service-account-token-type
23 match:
24 any:
25 - resources:
26 kinds:
27 - Secret
28 operations:
29 - CREATE
30 - UPDATE
31 validate:
32 cel:
33 expressions:
34 - expression: "object.type != 'kubernetes.io/service-account-token'"
35 message: "Secret ServiceAccount token type is not allowed."
36