We need to disable logging in via service account token.
We were thinking of having a webhook for login event and forwarding it to opa, opa will check if the login request uses token. If it does, it throw an error, if it does it will just continue the flow of forwarding the request to the authenticator/identity provider.
We are using openshift 3.
I'm not certain if that is possible to do with https://kubernetes.io/docs/reference/access-authn-authz/webhook/ but if you had a way to know with that request payload if it was a token then you could handle it that way.
If not, you would probably need to use a like gateway/proxy in front of the API server to intercept requests and filter them before kubernetes receives them at all.