Updated on 2024-02-01 GMT+08:00

noupdateserviceaccount

Basic Information

  • Policy type: compliance
  • Recommended level: L1
  • Effective resource type: *
  • Parameter

    allowedGroups: Array

    allowedUsers: Array

Function

The resources that are not in the whitelist are rejected to update ServiceAccount.

Policy Example

The following policy instance shows the types of resources for which the policy definition takes effect. parameters defines the allowed group list allowedGroups and allowed user list allowedUsers.

# IMPORTANT: Before deploying this policy, make sure you allow-list any groups
# or users that need to deploy workloads to kube-system, such as cluster-
# lifecycle controllers, addon managers, etc. Such controllers may need to
# update service account names during automated rollouts (e.g. of refactored
# configurations). You can allow-list them with the allowedGroups and
# allowedUsers properties of the NoUpdateServiceAccount Constraint.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: NoUpdateServiceAccount
metadata:
  name: no-update-kube-system-service-account
spec:
  match:
    namespaces: ["kube-system"]
    kinds:
    - apiGroups: [""]
      kinds:
      # You can optionally add "Pod" here, but it is unnecessary because
      # Pod service account immutability is enforced by the Kubernetes API.
      - "ReplicationController"
    - apiGroups: ["apps"]
      kinds:
      - "ReplicaSet"
      - "Deployment"
      - "StatefulSet"
      - "DaemonSet"
    - apiGroups: ["batch"]
      kinds:
      # You can optionally add "Job" here, but it is unnecessary because
      # Job service account immutability is enforced by the Kubernetes API.
      - "CronJob"
  parameters:
    allowedGroups: []
    allowedUsers: []

Resource Definition That Complies with the Policy

The ServiceAccount is not updated, which complies with the policy instance.

# Note: The gator tests currently require exactly one object per example file.
# Since this is an update-triggered policy, at least two objects are technically
# required to demonstrate it. Due to the gator requirement, we only have one
# object below. The policy should allow changing everything but the
# serviceAccountName field.
kind: Deployment
apiVersion: apps/v1
metadata:
  name: policy-test
  namespace: kube-system
  labels:
    app: policy-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: policy-test-deploy
  template:
    metadata:
      labels:
        app: policy-test-deploy
    spec:
      # Changing anything except this field should be allowed by the policy.
      serviceAccountName: policy-test-sa-1
      containers:
      - name: policy-test
        image: ubuntu
        command:
        - /bin/bash
        - -c
        - sleep 99999