-
Notifications
You must be signed in to change notification settings - Fork 249
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added policy: deny-default-service-accounts #1117
base: main
Are you sure you want to change the base?
Added policy: deny-default-service-accounts #1117
Conversation
Signed-off-by: fast-n-curious <[email protected]>
other/deny-default-service-accounts/deny-default-service-accounts.yaml
Outdated
Show resolved
Hide resolved
match: | ||
resources: | ||
kinds: | ||
- Pod |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
any
or all
, please.
policies.kyverno.io/title: Deny using default service accounts | ||
policies.kyverno.io/category: Other | ||
policies.kyverno.io/subject: Pod | ||
kyverno.io/kyverno-version: 1.11.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please test on latest.
policies.kyverno.io/category: Other | ||
policies.kyverno.io/subject: Pod | ||
kyverno.io/kyverno-version: 1.11.0 | ||
policies.kyverno.io/minversion: 1.10.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove.
other/deny-default-service-accounts/deny-default-service-accounts.yaml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update accordingly including fixing name.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove. Tests should fetch the policy in the parent directory, not duplicate it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add test for disabling of service account altogether.
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: badpod02 | ||
spec: | ||
serviceAccountName: default | ||
containers: | ||
- name: badpod02 | ||
image: dummyimage |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Redundant. Remove.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also recommend testing a few Pod controllers (like Deployment and Job) to ensure this works with autogen as expected.
…nts.yaml Co-authored-by: Chip Zoller <[email protected]> Signed-off-by: Jim Bugwadia <[email protected]>
…nts.yaml Co-authored-by: Chip Zoller <[email protected]> Signed-off-by: Jim Bugwadia <[email protected]>
Description
For an enhnaced security posture, it is recommended to use specific service accounts and not the default service accounts. These service accounts provide an identity for processes that run in individual Pods and map them to a ServiceAccount object. This policy flags the Pods that use any default service accounts.
Checklist