From 1fdcfe6f408cc84ba95bd39d1d7154f0a6083d3e Mon Sep 17 00:00:00 2001
From: Chris Harden <chris@defenseunicorns.com>
Date: Tue, 12 Dec 2023 15:29:25 +0000
Subject: [PATCH] Neuvector: disabled automountserviceaccounttoken in the
 neuvector namespace

---
 chart/templates/kyverno-policies/values.yaml | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/chart/templates/kyverno-policies/values.yaml b/chart/templates/kyverno-policies/values.yaml
index 1954c5ab3d..53c36fe947 100644
--- a/chart/templates/kyverno-policies/values.yaml
+++ b/chart/templates/kyverno-policies/values.yaml
@@ -699,7 +699,8 @@ policies:
       - velero
       - kyverno
       - velero
-
+      - neuvector
+      
   update-automountserviceaccounttokens:
     enabled: true
     namespaces:
@@ -766,6 +767,20 @@ policies:
         - velero-velero-*
         - node-agent-*
         - velero-label-namespace-*
+      - namespace: neuvector
+        serviceAccounts:
+        - basic
+        - controller
+        - enforcer
+        - updater
+        pods:
+        - neuvector-manager-pod-*
+        - neuvector-scanner-pod-*
+        - neuvector-controller-pod-*
+        - neuvector-enforcer-pod-*
+        - neuvector-updater-pod-*
+        - neuvector-prometheus-exporter-pod-*
+        - neuvector-registry-adapter-pod-*
 
 
 istio:
-- 
GitLab