All Policies

Check Long-Lived Secrets in ServiceAccounts

Before version 1.24, Kubernetes automatically generated Secret-based tokens for ServiceAccounts. To distinguish between automatically generated tokens and manually created ones, Kubernetes checks for a reference from the ServiceAccount's secrets field. If the Secret is referenced in the secrets field, it is considered an auto-generated legacy token. These legacy Tokens can be of security concern and should be audited.

Policy Definition

/other/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: check-serviceaccount-secrets
 5  annotations:
 6    policies.kyverno.io/title: Check Long-Lived Secrets in ServiceAccounts
 7    policies.kyverno.io/category: Security
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.11.1
10    kyverno.io/kubernetes-version: "1.27"
11    policies.kyverno.io/subject: Secret,ServiceAccount
12    policies.kyverno.io/description: >-
13      Before version 1.24, Kubernetes automatically generated Secret-based tokens 
14      for ServiceAccounts. To distinguish between automatically generated tokens 
15      and manually created ones, Kubernetes checks for a reference from the 
16      ServiceAccount's secrets field. If the Secret is referenced in the secrets 
17      field, it is considered an auto-generated legacy token. These legacy Tokens can
18      be of security concern and should be audited.
19spec:
20  validationFailureAction: Audit
21  background: true
22  rules:
23    - name: deny-secrets
24      match:
25        any:
26        - resources:
27            kinds:
28              - ServiceAccount
29      validate:
30        message: "Long-lived API tokens are not allowed."
31        pattern:
32          X(secrets):
Create policy issue