Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added policy: deny-default-service-accounts #1117

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

fast-n-curious
Copy link

Description

For an enhnaced security posture, it is recommended to use specific service accounts and not the default service accounts. These service accounts provide an identity for processes that run in individual Pods and map them to a ServiceAccount object. This policy flags the Pods that use any default service accounts.

Checklist

  • I have read the policy contribution guidelines.
  • I have added test manifests and resources covering both positive and negative tests that prove this policy works as intended.
  • I have added the artifacthub-pkg.yml file and have verified it is complete and correct.

Comment on lines +22 to +25
match:
resources:
kinds:
- Pod
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

any or all, please.

policies.kyverno.io/title: Deny using default service accounts
policies.kyverno.io/category: Other
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.11.0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please test on latest.

policies.kyverno.io/category: Other
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.11.0
policies.kyverno.io/minversion: 1.10.0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update accordingly including fixing name.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove. Tests should fetch the policy in the parent directory, not duplicate it.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add test for disabling of service account altogether.

Comment on lines +31 to +39
apiVersion: v1
kind: Pod
metadata:
name: badpod02
spec:
serviceAccountName: default
containers:
- name: badpod02
image: dummyimage
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Redundant. Remove.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also recommend testing a few Pod controllers (like Deployment and Job) to ensure this works with autogen as expected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants