Pods running with a ServiceAccount are presented with a volume, containing the token, and volume mounts for all containers in the Pod. Applications that do not need to communicate with the Kubernetes API do not need a ServiceAccount and therefore limiting which Pods have access rights is important. Rather than, or in addition to, requiring that certain Pods disable mounting of a ServiceAccount, it is possible to silently remove this token if it has been presented. This policy ensures that Pods which do not have the label `corp.org/can-use-serviceaccount` and are consuming a ServiceAccount have that stripped away. It should be customized to restrict the scope of its operation as it will not distinguish between an explicitly-defined ServiceAccount or one provided by default.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: remove-serviceaccount-tokenannotations:policies.kyverno.io/title: Remove ServiceAccount Tokenpolicies.kyverno.io/category: Otherpolicies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Pod,ServiceAccount,Volumekyverno.io/kyverno-version: 1.10.0policies.kyverno.io/minversion: 1.10.0kyverno.io/kubernetes-version: "1.25"policies.kyverno.io/description: Pods running with a ServiceAccount are presented with a volume, containing the token, and volume mounts for all containers in the Pod. Applications that do not need to communicate with the Kubernetes API do not need a ServiceAccount and therefore limiting which Pods have access rights is important. Rather than, or in addition to, requiring that certain Pods disable mounting of a ServiceAccount, it is possible to silently remove this token if it has been presented. This policy ensures that Pods which do not have the label `corp.org/can-use-serviceaccount` and are consuming a ServiceAccount have that stripped away. It should be customized to restrict the scope of its operation as it will not distinguish between an explicitly-defined ServiceAccount or one provided by default.spec:background: falserules:- name: remove-vol-volmountmatch:any:- resources:kinds:- Podselector:matchExpressions:- key: corp.org/can-use-serviceaccountoperator: DoesNotExistcontext:- name: tokenvolnamevariable:jmesPath: request.object.spec.volumes[?projected].name[?starts_with(@,'kube-api-access-')] | [0] || ''default: ""preconditions:all:- key: "{{ tokenvolname }}"operator: Equalsvalue: "?*"mutate:foreach:- list: request.object.spec.volumes[]order: Descendingpreconditions:all:- key: projectedoperator: AnyInvalue: "{{ element.keys(@) }}"- key: "{{ element.name }}"operator: Equalsvalue: kube-api-access-*patchesJson6902: |-- path: /spec/volumes/{{elementIndex}}op: remove- list: request.object.spec.containers[]foreach:- list: element.volumeMountsorder: Descendingpreconditions:all:- key: "{{element.name}}"operator: AnyInvalue: "{{ tokenvolname }}"patchesJson6902: |-- path: /spec/containers/{{elementIndex0}}/volumeMounts/{{elementIndex1}}op: remove
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
CAST AI will not downscale a node that includes a pod with the autoscaling.cast.ai/removal-disabled="true" label on it, this protects sensitive workloads from being evicted and can be attributed to any pod to protect against unwanted downscaling. This policy will mutate jobs and cronjobs to add the removal-disabled label to protect against eviction.