Restrict access to K8s secret token

The most of the containerized workloads do not need to interact with the Kubernetes API server and
they don't need to read the token that is associated with the ServiceAccount used to create the Pod.

This path can be blocked /var/run/secrets/kubernetes.io

Signed-off-by: Michal Jura <[email protected]>

Author: mjura

contrib/etc/lockc/lockc.toml

@@ -379,8 +379,10 @@ allowed_paths_access_baseline = [
 denied_paths_access_restricted = [
     "/proc/acpi",
     "/proc/sys",
+    "/var/run/secrets/kubernetes.io",
 ]
 
 denied_paths_access_baseline = [
     "/proc/acpi",
+    "/var/run/secrets/kubernetes.io",
 ]