opa (open policy) can refer to its policy before kubernetes resources are created, deleted or updated.. but not when they are get (describe or get). How to enforce this to get request? Is this in the road map for OPA or the scope of admission controllers?
We want to block viewing of service account tokens.
Admission control in Kubernetes does NOT let you control a get. It only lets you control create, update, delete, and connect. The API docs for the validating webhook and its descendent RuleWithOperations (no handy link) don't make this clear, but the docs introducing API access state it explicitly.
To control get, you need to use authorization. To use OPA for authorization you would need the authorization webhook mode.