Restrict Auto-Mount of Service Account Tokens

Kubernetes automatically mounts service account credentials in each pod. The service account may be assigned roles allowing pods to access API resources. To restrict access, opt out of auto-mounting tokens by setting automountServiceAccountToken to false.

Policy Definition

/other/restrict_automount_sa_token.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-automount-sa-token
  annotations:
    policies.kyverno.io/title: Restrict Auto-Mount of Service Account Tokens
    policies.kyverno.io/category: Sample
    policies.kyverno.io/description: >-
      Kubernetes automatically mounts service account credentials in each pod. 
      The service account may be assigned roles allowing pods to access API resources. 
      To restrict access, opt out of auto-mounting tokens by setting 
      automountServiceAccountToken to false.
spec:
  rules:
  - name: validate-automountServiceAccountToken
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Auto-mounting of Service Account tokens is not allowed."
      pattern:
        spec:
          automountServiceAccountToken: false
Last modified January 2, 2021: fix title & sort and regen policies (fa7e171)