From e11de3e518a796709b9d477883fc7c191913cad3 Mon Sep 17 00:00:00 2001
From: fast-n-curious <krishna.khandavilli@nirmata.com>
Date: Tue, 6 Aug 2024 22:29:45 -0500
Subject: [PATCH 1/3] Added policy: deny-default-service-accounts

Signed-off-by: fast-n-curious <krishna.khandavilli@nirmata.com>
---
 .../.chainsaw-test/badpod.yaml                | 20 ++++++++++
 .../chainsaw-step-01-assert-1.yaml            |  6 +++
 .../.chainsaw-test/chainsaw-test.yaml         | 36 +++++++++++++++++
 .../.chainsaw-test/goodpod.yaml               | 19 +++++++++
 .../.chainsaw-test/testpod.yaml               |  9 +++++
 .../.kyverno-test/kyverno-test.yaml           | 33 ++++++++++++++++
 .../.kyverno-test/policy.yaml                 | 30 ++++++++++++++
 .../.kyverno-test/resources.yaml              | 39 +++++++++++++++++++
 .../artifacthub-pkg.yml                       | 22 +++++++++++
 .../deny-default-service-accounts.yaml        | 30 ++++++++++++++
 10 files changed, 244 insertions(+)
 create mode 100644 other/deny-default-service-accounts/.chainsaw-test/badpod.yaml
 create mode 100644 other/deny-default-service-accounts/.chainsaw-test/chainsaw-step-01-assert-1.yaml
 create mode 100644 other/deny-default-service-accounts/.chainsaw-test/chainsaw-test.yaml
 create mode 100644 other/deny-default-service-accounts/.chainsaw-test/goodpod.yaml
 create mode 100644 other/deny-default-service-accounts/.chainsaw-test/testpod.yaml
 create mode 100644 other/deny-default-service-accounts/.kyverno-test/kyverno-test.yaml
 create mode 100644 other/deny-default-service-accounts/.kyverno-test/policy.yaml
 create mode 100644 other/deny-default-service-accounts/.kyverno-test/resources.yaml
 create mode 100644 other/deny-default-service-accounts/artifacthub-pkg.yml
 create mode 100644 other/deny-default-service-accounts/deny-default-service-accounts.yaml

diff --git a/other/deny-default-service-accounts/.chainsaw-test/badpod.yaml b/other/deny-default-service-accounts/.chainsaw-test/badpod.yaml
new file mode 100644
index 000000000..1fd64a136
--- /dev/null
+++ b/other/deny-default-service-accounts/.chainsaw-test/badpod.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod01
+spec:
+  serviceAccountName: default
+  containers:
+  - name: badpod01
+    image: dummyimagename
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod02
+spec:
+  serviceAccountName: default
+  containers:
+  - image: dummyimagename
+    name: badpod02
+
diff --git a/other/deny-default-service-accounts/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/deny-default-service-accounts/.chainsaw-test/chainsaw-step-01-assert-1.yaml
new file mode 100644
index 000000000..f26c15309
--- /dev/null
+++ b/other/deny-default-service-accounts/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: deny-default-service-accounts
+status:
+  ready: true
diff --git a/other/deny-default-service-accounts/.chainsaw-test/chainsaw-test.yaml b/other/deny-default-service-accounts/.chainsaw-test/chainsaw-test.yaml
new file mode 100644
index 000000000..47d895af0
--- /dev/null
+++ b/other/deny-default-service-accounts/.chainsaw-test/chainsaw-test.yaml
@@ -0,0 +1,36 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: deny-default-service-accounts
+spec:
+  steps:
+  - name: step-01
+    try:
+    - create:
+        resource:
+          apiVersion: v1
+          kind: ServiceAccount
+          metadata:
+            name: custom-service-account 
+    - apply:
+        file: ../deny-default-service-accounts.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: deny-default-service-accounts
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: chainsaw-step-01-assert-1.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: goodpod.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: badpod.yaml
diff --git a/other/deny-default-service-accounts/.chainsaw-test/goodpod.yaml b/other/deny-default-service-accounts/.chainsaw-test/goodpod.yaml
new file mode 100644
index 000000000..14dccee57
--- /dev/null
+++ b/other/deny-default-service-accounts/.chainsaw-test/goodpod.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod01
+spec:
+  serviceAccountName: custom-service-account
+  containers:
+  - image: nginx
+    name: goodpod01
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod02
+spec:
+  serviceAccountName: custom-service-account
+  containers:
+  - image: nginx
+    name: goodpod02
diff --git a/other/deny-default-service-accounts/.chainsaw-test/testpod.yaml b/other/deny-default-service-accounts/.chainsaw-test/testpod.yaml
new file mode 100644
index 000000000..0fe8b75e5
--- /dev/null
+++ b/other/deny-default-service-accounts/.chainsaw-test/testpod.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod01
+spec:
+  serviceAccountName: custom-service-account
+  containers:
+  - name: goodpod01
+    image: dummyimage
diff --git a/other/deny-default-service-accounts/.kyverno-test/kyverno-test.yaml b/other/deny-default-service-accounts/.kyverno-test/kyverno-test.yaml
new file mode 100644
index 000000000..47e7ea979
--- /dev/null
+++ b/other/deny-default-service-accounts/.kyverno-test/kyverno-test.yaml
@@ -0,0 +1,33 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: kyverno-test.yaml
+policies:
+- ../deny-default-service-accounts.yaml
+resources:
+- resources.yaml
+results:
+- kind: Pod
+  policy: deny-default-service-accounts
+  resources:
+  - goodpod01
+  result: pass
+  rule: deny-default-service-accounts
+- kind: Pod
+  policy: deny-default-service-accounts
+  resources:
+  - goodpod02
+  result: pass
+  rule: deny-default-service-accounts
+- kind: Pod
+  policy: deny-default-service-accounts
+  resources:
+  - badpod01
+  result: fail
+  rule: deny-default-service-accounts
+- kind: Pod
+  policy: deny-default-service-accounts
+  resources:
+  - badpod02
+  result: fail
+  rule: deny-default-service-accounts
diff --git a/other/deny-default-service-accounts/.kyverno-test/policy.yaml b/other/deny-default-service-accounts/.kyverno-test/policy.yaml
new file mode 100644
index 000000000..b82a139cd
--- /dev/null
+++ b/other/deny-default-service-accounts/.kyverno-test/policy.yaml
@@ -0,0 +1,30 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: deny-default-service-accounts
+  annotations:
+    policies.kyverno.io/title: Deny using default service accounts
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/subject: Pod
+    kyverno.io/kyverno-version: 1.11.0
+    policies.kyverno.io/minversion: 1.10.0
+    kyverno.io/kubernetes-version: "1.26"
+    policies.kyverno.io/description: >-
+      For an enhnaced security posture, it is recommended to use specific service accounts
+      and not the default service accounts. These service accounts provide an identity for
+      processes that run in individual Pods and map them to a ServiceAccount object. 
+      This policy flags the Pods that use any default service accounts.
+spec:
+  validationFailureAction: audit
+  background: false
+  rules:
+  - name: deny-default-service-accounts
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Default service accounts are not allowed to be used."
+      pattern:
+        spec:
+          serviceAccountName: "!default"
diff --git a/other/deny-default-service-accounts/.kyverno-test/resources.yaml b/other/deny-default-service-accounts/.kyverno-test/resources.yaml
new file mode 100644
index 000000000..0f0c7c15a
--- /dev/null
+++ b/other/deny-default-service-accounts/.kyverno-test/resources.yaml
@@ -0,0 +1,39 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod01
+spec:
+  serviceAccountName: custom-service-account01
+  containers:
+  - name: goodpod01
+    image: dummyimage
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod02
+spec:
+  serviceAccountName: custom-service-account02
+  containers:
+  - name: goodpod02
+    image: dummyimage
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod01
+spec:
+  serviceAccountName: default
+  containers:
+  - name: badpod01
+    image: dummyimage
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod02
+spec:
+  serviceAccountName: default
+  containers:
+  - name: badpod02
+    image: dummyimage
diff --git a/other/deny-default-service-accounts/artifacthub-pkg.yml b/other/deny-default-service-accounts/artifacthub-pkg.yml
new file mode 100644
index 000000000..5a1c005b6
--- /dev/null
+++ b/other/deny-default-service-accounts/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+name: deny-force-delete
+version: 1.0.0
+displayName: Deny using Default Service Accounts
+createdAt: "2024-08-05T10:30:02.000Z"
+description: >-
+  It is recommended to use specific service accounts and not the default service accounts. These service accounts provide an identity for that run in individual Pods and map them to a ServiceAccount object. This policy flags the Pods that use any default service accounts.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/deny-default-service-accounts//deny-default-service-accounts.yaml
+  ```
+keywords:
+  - kyverno
+  - Other
+readme: |
+  Resources are not allowed to be deployed with default service accounts.
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Other"
+  kyverno/kubernetesVersion: "1.28"
+  kyverno/subject: "Pod"
+digest: cdb972732797f3434f4c0fa03386167130e612a1f5fafceb6fc28e885df9dc62
diff --git a/other/deny-default-service-accounts/deny-default-service-accounts.yaml b/other/deny-default-service-accounts/deny-default-service-accounts.yaml
new file mode 100644
index 000000000..b82a139cd
--- /dev/null
+++ b/other/deny-default-service-accounts/deny-default-service-accounts.yaml
@@ -0,0 +1,30 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: deny-default-service-accounts
+  annotations:
+    policies.kyverno.io/title: Deny using default service accounts
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/subject: Pod
+    kyverno.io/kyverno-version: 1.11.0
+    policies.kyverno.io/minversion: 1.10.0
+    kyverno.io/kubernetes-version: "1.26"
+    policies.kyverno.io/description: >-
+      For an enhnaced security posture, it is recommended to use specific service accounts
+      and not the default service accounts. These service accounts provide an identity for
+      processes that run in individual Pods and map them to a ServiceAccount object. 
+      This policy flags the Pods that use any default service accounts.
+spec:
+  validationFailureAction: audit
+  background: false
+  rules:
+  - name: deny-default-service-accounts
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Default service accounts are not allowed to be used."
+      pattern:
+        spec:
+          serviceAccountName: "!default"

From 5bd531b3d289d04a734d733348fe5d3404b22f47 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Mon, 26 Aug 2024 14:54:23 -0700
Subject: [PATCH 2/3] Update
 other/deny-default-service-accounts/deny-default-service-accounts.yaml

Co-authored-by: Chip Zoller <chipzoller@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
---
 .../deny-default-service-accounts.yaml                          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/other/deny-default-service-accounts/deny-default-service-accounts.yaml b/other/deny-default-service-accounts/deny-default-service-accounts.yaml
index b82a139cd..f5bf69738 100644
--- a/other/deny-default-service-accounts/deny-default-service-accounts.yaml
+++ b/other/deny-default-service-accounts/deny-default-service-accounts.yaml
@@ -27,4 +27,4 @@ spec:
       message: "Default service accounts are not allowed to be used."
       pattern:
         spec:
-          serviceAccountName: "!default"
+          (serviceAccountName): "!default"

From 67825a174b7ae58cdf78314086211cd56a7dab46 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Mon, 26 Aug 2024 14:54:41 -0700
Subject: [PATCH 3/3] Update
 other/deny-default-service-accounts/deny-default-service-accounts.yaml

Co-authored-by: Chip Zoller <chipzoller@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
---
 .../deny-default-service-accounts.yaml                          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/other/deny-default-service-accounts/deny-default-service-accounts.yaml b/other/deny-default-service-accounts/deny-default-service-accounts.yaml
index f5bf69738..81a5ea30e 100644
--- a/other/deny-default-service-accounts/deny-default-service-accounts.yaml
+++ b/other/deny-default-service-accounts/deny-default-service-accounts.yaml
@@ -13,7 +13,7 @@ metadata:
       For an enhnaced security posture, it is recommended to use specific service accounts
       and not the default service accounts. These service accounts provide an identity for
       processes that run in individual Pods and map them to a ServiceAccount object. 
-      This policy flags the Pods that use any default service accounts.
+      This policy prevents use of the default service account in Pods.
 spec:
   validationFailureAction: audit
   background: false