Status: IN
The annotation `kubernetes.io/enforce-mountable-secrets` must be set to `"true"` on a ServiceAccount to restrict which secrets a pod can mount via the SA's `secrets` list.
Source: entries/2026/03/05/en-documentation-openshift_container_platform-417-html-security_apis-serviceacco.md
JSON