Before version 1.24, Kubernetes automatically generated Secret-based tokens for ServiceAccounts. To distinguish between automatically generated tokens and manually created ones, Kubernetes checks for a reference from the ServiceAccount's secrets field. If the Secret is referenced in the secrets field, it is considered an auto-generated legacy token. These legacy Tokens can be of security concern and should be audited.
apiVersion: policies.kyverno.io/v1alpha1kind: ValidatingPolicymetadata:name: check-serviceaccount-secretsannotations:policies.kyverno.io/title: Check Long-Lived Secrets in ServiceAccounts in ValidatingPolicypolicies.kyverno.io/category: Security in vpolpolicies.kyverno.io/severity: mediumkyverno.io/kyverno-version: 1.14.0kyverno.io/kubernetes-version: "1.30"policies.kyverno.io/subject: Secret,ServiceAccountpolicies.kyverno.io/description: Before version 1.24, Kubernetes automatically generated Secret-based tokens for ServiceAccounts. To distinguish between automatically generated tokens and manually created ones, Kubernetes checks for a reference from the ServiceAccount's secrets field. If the Secret is referenced in the secrets field, it is considered an auto-generated legacy token. These legacy Tokens can be of security concern and should be audited.spec:validationActions:- Auditevaluation:background:enabled: truematchConstraints:resourceRules:- apiGroups:- ""apiVersions:- v1operations:- CREATE- UPDATEresources:- serviceaccountsvalidations:- expression: "!has(object.secrets)"message: Long-lived API tokens are not allowed.
This policy prevents the use of the default project in an Application.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
This policy prevents updates to the project field after an Application is created.