{"id":"sa-enforce-mountable-secrets-annotation","text":"The annotation `kubernetes.io/enforce-mountable-secrets` must be set to `\"true\"` on a ServiceAccount to restrict which secrets a pod can mount via the SA's `secrets` list.","truth_value":"IN","source":"entries/2026/03/05/en-documentation-openshift_container_platform-417-html-security_apis-serviceacco.md","source_url":"","source_hash":"85fe6c3e60673cdd","justifications":[],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"sa-enforce-mountable-secrets-annotation","truth_value":"IN","reason":"premise"}]}}