Kyverno's default `restrict-automount-sa-token` policy denies the installation of policy-reporter about policy-reporter HOT 11 CLOSED

I created kyverno/policies#348 which should resolve your issue and the Policy should no longer the Policy Reporter deployment.

from policy-reporter.

If i set automountServiceAccountToken: "false" in deployment, pod falling back to crash with the following error:

Error: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory

Any ideas how to make it run without setting it true?

from policy-reporter.

The SA is required to get permissions for accessing the K8s API. Thats because it is set to true. There is no really work around for it. Only possible solution could be to add a manual volume and volumeMount instead the automount feature.

from policy-reporter.

So it's something we can fix in the deployment manifests? I prefer to handle all that manual stuff in the helm side during installation.

Currently, it's unable to run this project with Kyverno's default policy enforcement, which decreases the UX a bit in the first place.

from policy-reporter.

But you will have the same problem with all tools that access the K8s API in some case, the Policy description also says that the intention is to prevent automount for pods that are not interacting with the K8s API.

Kubernetes automatically mounts ServiceAccount credentials in each Pod.
The ServiceAccount may be assigned roles allowing Pods to access API resources.
Blocking this ability is an extension of the least privilege best practice and should
be followed if Pods do not need to speak to the API server to function.
This policy ensures that mounting of these ServiceAccount tokens is blocked.

Because the SA secret name has a dynamic suffix like policy-reporter-token-vdt6m, the manual mount is not really an option because I don't know the secret name before it is created.

from policy-reporter.

You could add an exclude label and add this label to the policy-reporter pods and other K8s API related tools.

Would it make sense to add some kind of exclusion (e.g. label) to the Kyverno Policy directly @chipzoller @realshuting?

from policy-reporter.

Sure, should it exclude by name?

from policy-reporter.

If you want to add a policy-reporter specific exclude I would suggest the label app.kubernetes.io/part-of: policy-reporter. Its currently only added on the deployment but I can create a minor version which also add it on pod level. So we don't need multiple values for the different components.

from policy-reporter.

Glad to accept a PR to the policy if one is made.

from policy-reporter.

Thanks @chipzoller . I will open one

from policy-reporter.

The updated Policy has now an exclude filter for Policy Reporter (kyverno/policies#348) which should fix this issue.

from policy-reporter.