Harden automountServiceAccountToken findings in Twistlock
General MR
Summary
Closes https://repo1.dso.mil/big-bang/bigbang/-/issues/1833
This MR leverages the mutating Kyverno policy named update-automountserviceaccounttokens to harden all ServiceAccounts in the twistlock namespace/package, and to place Pod exceptions where applicable (depending if the application truly needs access to the K8s API).
Justification for Pod exceptions are placed in comments alongside the code.
Manual testing according to the packages' DEVELOPMENT_MAINTENANCE.md has shown no loss of functionality. Pipeline tests are passing.
Merge request reports
Activity
added kindenhancement priority7 statusdoing labels
assigned to @justen.mehl
added twistlock label
changed milestone to %2.15.0
added statusreview label and removed statusdoing label
requested review from @ryan.j.garcia, @chris.oconnell, and @michaelmartin
mentioned in merge request big-bang/product/packages/twistlock!116 (merged)
removed review request for @ryan.j.garcia, @michaelmartin, and @chris.oconnell
added statusdoing label and removed statusreview label
changed milestone to %2.16.0
added statusreview label and removed statusdoing label
requested review from @ryan.j.garcia, @michaelmartin, @chris.oconnell, and @ryan.thompson.44
@andrewshoell @rgsjustins : You have been tagged in this merge request for the purpose of conducting secondary review.
mentioned in commit c9d3a496