diff --git a/base/flux/kustomization.yaml b/base/flux/kustomization.yaml
index f0ee7ab4e5a772071b5267dde6b5bd21e923e308..71c7ab34f5d9a904a065231cfb8733a40ed2eae8 100644
--- a/base/flux/kustomization.yaml
+++ b/base/flux/kustomization.yaml
@@ -53,6 +53,15 @@ patches:
                     drop:
                       - ALL
                   $patch: replace
+  - target:
+      kind: ServiceAccount
+      name: helm-controller
+    patch: |-
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: helm-controller
+      automountServiceAccountToken: false
   - target:
       kind: Deployment
       name: helm-controller
@@ -64,6 +73,7 @@ patches:
       spec:
         template:
           spec:
+            automountServiceAccountToken: true
             containers:
             - name: manager
               resources:
@@ -73,6 +83,15 @@ patches:
                 requests:
                   cpu: 900m
                   memory: 1Gi
+  - target:
+      kind: ServiceAccount
+      name: kustomize-controller
+    patch: |-
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: kustomize-controller
+      automountServiceAccountToken: false
   - target:
       kind: Deployment
       name: kustomize-controller
@@ -84,6 +103,7 @@ patches:
       spec:
         template:
           spec:
+            automountServiceAccountToken: true
             containers:
             - name: manager
               resources:
@@ -93,6 +113,15 @@ patches:
                 requests:
                   cpu: 300m
                   memory: 600Mi
+  - target:
+      kind: ServiceAccount
+      name: notification-controller
+    patch: |-
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: notification-controller
+      automountServiceAccountToken: false
   - target:
       kind: Deployment
       name: notification-controller
@@ -104,6 +133,7 @@ patches:
       spec:
         template:
           spec:
+            automountServiceAccountToken: true
             containers:
             - name: manager
               resources:
@@ -113,6 +143,15 @@ patches:
                 requests:
                   cpu: 100m
                   memory: 200Mi
+  - target:
+      kind: ServiceAccount
+      name: source-controller
+    patch: |-
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: source-controller
+      automountServiceAccountToken: false
   - target:
       kind: Deployment
       name: source-controller
@@ -124,6 +163,7 @@ patches:
       spec:
         template:
           spec:
+            automountServiceAccountToken: true
             containers:
             - name: manager
               resources:
diff --git a/chart/templates/kyverno-policies/values.yaml b/chart/templates/kyverno-policies/values.yaml
index 0c962f8b2f1f696e973d3f7d65748cc51b98b2b7..516f69d420feec11417a36b8159012c4a39b0f61 100644
--- a/chart/templates/kyverno-policies/values.yaml
+++ b/chart/templates/kyverno-policies/values.yaml
@@ -169,6 +169,17 @@ policies:
           names:
           - prometheus-monitoring-monitoring-kube-prometheus*
       {{- end }}
+      - resources:
+          namespaces:
+          - flux-system
+          kinds:
+          - Pod
+          - Deployment
+          names:
+          - notification-controller-*
+          - helm-controller-*
+          - source-controller-*
+          - kustomize-controller-*
 
   {{- if or .Values.fluentbit.enabled .Values.monitoring.enabled .Values.twistlock.enabled }}
   disallow-tolerations:
@@ -712,6 +723,8 @@ policies:
       - thanos
       - mattermost
       - mattermost-operator
+      - bigbang
+      - flux-system
       - keycloak
 
   update-automountserviceaccounttokens: