50-mutate-default-sa: Adding clusterrole to the background-controller that...
General MR
Summary
Kubernetes automatically mounts API credentials in each Pod using the service account.
Under the least privilege best practice, the default service account should not have
access to the Kuberenetes API. This helps to prevent exploitation of API vulnerabilities.
This policy will add configuration to pods so that the service account token is not
automatically mounted.
Some package namespaces, and in turn their default serviceaccounts, are created in Bigbang before Kyverno runs. Kyverno can't update those pre-existing resources without adequate permissions.
This MR adds the rights to get, list, watch, update, and patch the kyverno-background-controller
serviceaccount so that those resources can be mutated with a clusterpolicy
These is a Kyverno-poliycy MR that is dependent on this MR
Relevant logs/screenshots
(Include any relevant logs/screenshots)
Relates #50 (closed)
Edited by Ryan Garcia