Disable automountServiceAccountToken

A new ServiceAccount called `default` is created whenever a new Namespace is created. Pods spawned in that Namespace, unless otherwise set, will be assigned this ServiceAccount. This policy mutates any new `default` ServiceAccounts to disable auto-mounting of the token into Pods obviating the need to do so individually.

Policy Definition

/other/disable-automountserviceaccounttoken/disable-automountserviceaccounttoken.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disable-automountserviceaccounttoken
 5  annotations:
 6    policies.kyverno.io/title: Disable automountServiceAccountToken
 7    policies.kyverno.io/category: Other, EKS Best Practices
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: ServiceAccount
10    kyverno.io/kyverno-version: 1.6.0
11    policies.kyverno.io/minversion: 1.6.0
12    kyverno.io/kubernetes-version: "1.21"
13    policies.kyverno.io/description: >-
14      A new ServiceAccount called `default` is created whenever a new Namespace is created.
15      Pods spawned in that Namespace, unless otherwise set, will be assigned this ServiceAccount.
16      This policy mutates any new `default` ServiceAccounts to disable auto-mounting of the token
17      into Pods obviating the need to do so individually.
18spec:
19  rules:
20  - name: disable-automountserviceaccounttoken
21    match:
22      any:
23      - resources:
24          kinds:
25          - ServiceAccount
26          names:
27          - default
28    mutate:
29      patchStrategicMerge:
30        automountServiceAccountToken: false

Create policy issue