Disable automountServiceAccountToken

A new ServiceAccount called `default` is created whenever a new Namespace is created. Pods spawned in that Namespace, unless otherwise set, will be assigned this ServiceAccount. This policy mutates any new `default` ServiceAccounts to disable auto-mounting of the token into Pods obviating the need to do so individually.

Policy Definition

/other/disable_automountserviceaccounttoken/disable-automountserviceaccounttoken.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disable-automountserviceaccounttoken
 5  annotations:
 6    policies.kyverno.io/title: Disable automountServiceAccountToken
 7    policies.kyverno.io/category: Other, EKS Best Practices
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: ServiceAccount
10    kyverno.io/kyverno-version: 1.5.1
11    kyverno.io/kubernetes-version: "1.21"
12    policies.kyverno.io/description: >-
13      A new ServiceAccount called `default` is created whenever a new Namespace is created.
14      Pods spawned in that Namespace, unless otherwise set, will be assigned this ServiceAccount.
15      This policy mutates any new `default` ServiceAccounts to disable auto-mounting of the token
16      into Pods obviating the need to do so individually.      
17spec:
18  rules:
19  - name: disable-automountserviceaccounttoken
20    match:
21      resources:
22        kinds:
23        - ServiceAccount
24        names:
25        - default
26    mutate:
27      patchStrategicMerge:
28        automountServiceAccountToken: false

Create policy issue