Restrict Auto-Mount of Service Account Tokens in Service Account

Kubernetes automatically mounts ServiceAccount credentials in each ServiceAccount. The ServiceAccount may be assigned roles allowing Pods to access API resources. Blocking this ability is an extension of the least privilege best practice and should be followed if Pods do not need to speak to the API server to function. This policy ensures that mounting of these ServiceAccount tokens is blocked.

Policy Definition

/other/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-sa-automount-sa-token
 5  annotations:
 6    policies.kyverno.io/title: Restrict Auto-Mount of Service Account Tokens in Service Account 
 7    policies.kyverno.io/category: Security
 8    kyverno.io/kyverno-version: 1.11.1
 9    kyverno.io/kubernetes-version: "1.27"
10    policies.kyverno.io/severity: medium
11    policies.kyverno.io/subject: Secret,ServiceAccount
12    policies.kyverno.io/description: >-
13      Kubernetes automatically mounts ServiceAccount credentials in each ServiceAccount.
14      The ServiceAccount may be assigned roles allowing Pods to access API resources.
15      Blocking this ability is an extension of the least privilege best practice and should
16      be followed if Pods do not need to speak to the API server to function.
17      This policy ensures that mounting of these ServiceAccount tokens is blocked.      
18spec:
19  validationFailureAction: Audit
20  background: true
21  rules:
22  - name: validate-sa-automountServiceAccountToken
23    match:
24      any:
25      - resources:
26          kinds:
27          - ServiceAccount
28    validate:
29      message: "ServiceAccounts must set automountServiceAccountToken to false."
30      pattern:
31        automountServiceAccountToken: false

Create policy issue