Mitigate automountServiceAccountToken findings in Confluence

80c683d1 · Justen Mehl · Michael Martin · 9012e31e · 80c683d1
Commit 80c683d1 authored 1 year ago by Justen Mehl Committed by Michael Martin 1 year ago
--- a/chart/templates/kyverno-policies/values.yaml
+++ b/chart/templates/kyverno-policies/values.yaml
@@ -704,6 +704,7 @@ policies:
      - velero
      - neuvector
      - kiali
+      - confluence
      - harbor
      - authservice

@@ -832,6 +833,11 @@ policies:
        # notifications bot pods interact with secrets, configmaps, and CRDs
        # More details in argocd/chart/templates/argocd-notifications/bots/slack/role.yaml
        - argocd-argocd-notifications-controller-*
+      - namespace: confluence
+        pods:
+        # confluence pods require get/list on endpoints, pods, and nodes
+        # More details in confluence/chart/templates/clusterrole.yaml
+        - confluence-?
      - namespace: harbor
        serviceAccounts: 
        - harbor-redis-bb