UNCLASSIFIED - NO CUI

Skip to content

Fix kyverno exemption and mutation for automount service token

General MR

Summary

This MR accomplishes two things:

  • Fixes a bug where setting serviceAccounts to be mutated and hardened as it pertains to automountServiceAccountToken settings, inadvertently exempted underlying pods from being scrutinized by this policy.
  • Adds a new mutator that can be used to harden automountServiceAccountToken (set to false) on Pods; to be used in situations where upstream sets the pods to be explicitly TRUE in this regard unnecessarily.

Relates to https://repo1.dso.mil/big-bang/bigbang/-/issues/1835

Edited by Dustin Hilgaertner

Merge request reports