Modify policy template schema for Kyverno policies and add SA token p…

…olicy

Signed-off-by: Vyom-Yadav <jackhammervyom@gmail.com>

generic/kyverno/kyverno-automount-service-account-token.yaml

@@ -0,0 +1,27 @@
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: restrict-automount-sa-token
+  namespace: default
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+    - name: validate-automountServiceAccountToken
+      match:
+        any:
+          - resources:
+              kinds:
+                - Deployment
+      preconditions:
+        all:
+          - key: "{{ request.operation || 'BACKGROUND' }}"
+            operator: NotEquals
+            value: DELETE
+      validate:
+        message: "Auto-mounting of Service Account tokens is not allowed."
+        pattern:
+          spec:
+            template:
+              spec:
+                automountServiceAccountToken: "false"

generic/kyverno/metadata.yaml

@@ -0,0 +1,15 @@
+version: v0.1.9
+policyRules:
+  - name: restrict-automount-sa-token
+    description:
+      refs:
+        - name: Restrict Mounting Service Account Token
+          url:
+            - https://kyverno.io/policies/other/restrict_automount_sa_token/restrict_automount_sa_token/
+      tldr: Don't mount service account token when it is not needed
+      detailed: If the Service Account Token is not used by a pod, then it should not be 
+        automounted. Service account token provide access to the kubeapi-server which potentially
+        increases the surface area of attack.
+    kyvernoPolicyTags:
+      - "AUTOMOUNT_SERVICE_ACCOUNT"
+    yaml: kyverno-automount-service-account-token.yaml