Help Center>
Ubiquitous Cloud Native Service>
User Guide>
Policy Center>
Policy Definition Library>
k8spspautomountserviceaccounttokenpod
Updated on 2024-02-01 GMT+08:00
k8spspautomountserviceaccounttokenpod
Basic Information
- Policy type: compliance
- Recommended level: L1
- Effective resource type: Pod
- Parameter: None
Function
The automountServiceAccountToken field cannot be set to true.
Policy Example
The example declares that the automountServiceAccountToken field cannot be set to true.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAutomountServiceAccountTokenPod
metadata:
name: psp-automount-serviceaccount-token-pod
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
excludedNamespaces: ["kube-system"]
Resource Definition That Complies with the Policy
The automountServiceAccountToken field of the pod is set to false, which complies with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-automountserviceaccounttoken-allowed
labels:
app: nginx-not-automountserviceaccounttoken
spec:
automountServiceAccountToken: false
containers:
- name: nginx
image: nginx
Resource Definition That Does Not Comply with the Policy
The automountServiceAccountToken field of the pod is set to true, which does not comply with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-automountserviceaccounttoken-disallowed
labels:
app: nginx-automountserviceaccounttoken
spec:
automountServiceAccountToken: true
containers:
- name: nginx
image: nginx
Parent topic: Policy Definition Library
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot
