let the disable-automountserviceaccounttoken Kyverno policy apply on existing ns/SAs (!3086) · Merge requests · Sylva-projects / sylva-core

The disable-automountserviceaccounttoken Kyverno policy is modified to apply on already created resources.

A side benefit is that the namespace-defs unit does not need to depend on kyverno-policies anymore, which simplifies our dependency graph and will help unlock a circular dependency issue in !2962 (merged).

result (from the CI pipelines in this MRà:

  kind: ServiceAccount
  metadata:
    namespace: kube-system
    name: default
  automountServiceAccountToken: false  <<<<<<<<<<<

Edited Oct 11, 2024 by Thomas Morin

let the disable-automountserviceaccounttoken Kyverno policy apply on existing ns/SAs

Merge request reports