Merge branch '1859-thanos-mitigate-automount-sa-token-findings' into 'master'

Mitigating the automount service account token findings for Thanos See merge request !3600

Merge branch '1859-thanos-mitigate-automount-sa-token-findings' into 'master'
f5bbde9e · Ryan Garcia · 014073e6 · 6b306dcc · f5bbde9e
Commit f5bbde9e authored 1 year ago by Ryan Garcia
--- a/chart/templates/kyverno-policies/values.yaml
+++ b/chart/templates/kyverno-policies/values.yaml
@@ -709,7 +709,8 @@ policies:
      - fluentbit
      - eck-operator
      - nexus-repository-manager
-      
+      - thanos
+
  update-automountserviceaccounttokens:
    enabled: true
    namespaces:
@@ -879,8 +880,18 @@ policies:
        - nexus-repository-manager
        pods:
        - nexus-repository-manager-* 
-
-
+      - namespace: thanos
+        serviceAccounts:
+        - thanos-minio-sa
+        - thanos-storegateway
+        - thanos-query
+        - thanos-query-frontend
+        pods:
+        - thanos-minio-*
+        podsToHarden:
+        - thanos-query-frontend-*
+        - thanos-storegateway-*
+        - thanos-query-*

 istio:
  enabled: {{ .Values.istio.enabled }}