Restrict Auto-Mount of Service Account Tokens

Kubernetes automatically mounts ServiceAccount credentials in each Pod. The ServiceAccount may be assigned roles allowing Pods to access API resources. Blocking this ability is an extension of the least privilege best practice and should be followed if Pods do not need to speak to the API server to function. This policy ensures that mounting of these ServiceAccount tokens is blocked.

Policy Definition

/other/restrict_automount_sa_token/restrict_automount_sa_token.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-automount-sa-token
 5  annotations:
 6    policies.kyverno.io/title: Restrict Auto-Mount of Service Account Tokens
 7    policies.kyverno.io/category: Sample, EKS Best Practices
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod,ServiceAccount
10    policies.kyverno.io/description: >-
11      Kubernetes automatically mounts ServiceAccount credentials in each Pod.
12      The ServiceAccount may be assigned roles allowing Pods to access API resources.
13      Blocking this ability is an extension of the least privilege best practice and should
14      be followed if Pods do not need to speak to the API server to function.
15      This policy ensures that mounting of these ServiceAccount tokens is blocked.      
16spec:
17  validationFailureAction: audit
18  background: true
19  rules:
20  - name: validate-automountServiceAccountToken
21    match:
22      resources:
23        kinds:
24        - Pod
25    preconditions:
26      all:
27      - key: "{{ request.\"object\".metadata.labels.\"app.kubernetes.io/part-of\" || '' }}"
28        operator: NotEquals
29        value: policy-reporter
30    validate:
31      message: "Auto-mounting of Service Account tokens is not allowed."
32      pattern:
33        spec:
34          automountServiceAccountToken: "false"

Create policy issue