sundowndev
/
clusterlint
mirror of https://github.com/sundowndev/clusterlint.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #103 from stephenpaulger/envvar-secret-key-ref 

Check env vars for secret key references
sdas/webhooks-timeout-seconds
Varsha Varadarajan 2020-12-21 14:26:40 -08:00 committed by GitHub
parent a198e0364b 964b011a20
commit 9fb4ad9bc4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 87 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
checks/basic/unused_secrets.go
View File

@ -112,7 +112,7 @@ func checkReferences(objects *kube.Objects) (map[kube.Identifier]struct{}, error
mu.Unlock()
}
identifiers := envVarsSecretRefs(pod.Spec.Containers, namespace)
identifiers = append(identifiers, checkEnvVars(pod.Spec.InitContainers, namespace)...)
identifiers = append(identifiers, envVarsSecretRefs(pod.Spec.InitContainers, namespace)...)
mu.Lock()
for _, i := range identifiers {
used[i] = empty
@ -126,7 +126,7 @@ func checkReferences(objects *kube.Objects) (map[kube.Identifier]struct{}, error
return used, g.Wait()
}
// envVarsSecretRefs checks for config map references in container environment variables
// envVarsSecretRefs checks for secret references in container environment variables
func envVarsSecretRefs(containers []corev1.Container, namespace string) []kube.Identifier {
var refs []kube.Identifier
for _, container := range containers {
@ -135,6 +135,11 @@ func envVarsSecretRefs(containers []corev1.Container, namespace string) []kube.I
refs = append(refs, kube.Identifier{Name: env.SecretRef.LocalObjectReference.Name, Namespace: namespace})
}
}
for _, env := range container.Env {
if env.ValueFrom != nil && env.ValueFrom.SecretKeyRef != nil {
refs = append(refs, kube.Identifier{Name: env.ValueFrom.SecretKeyRef.LocalObjectReference.Name, Namespace: namespace})
}
}
}
return refs
}

80
checks/basic/unused_secrets_test.go
View File

@ -63,6 +63,21 @@ func TestUnusedSecretWarning(t *testing.T) {
objs: secretEnvSource(),
expected: nil,
},
{
name: "environment variable value from references secret",
objs: secretEnvVarValueFromSource(),
expected: nil,
},
{
name: "init container environment variable references secret",
objs: initContainerSecretEnvSource(),
expected: nil,
},
{
name: "init container environment variable value from references secret",
objs: initContainerSecretEnvVarValueFromSource(),
expected: nil,
},
{
name: "pod with image pull secrets",
objs: imagePullSecrets(),
@ -178,6 +193,71 @@ func secretEnvSource() *kube.Objects {
return objs
}
func initContainerSecretEnvSource() *kube.Objects {
objs := initSecret()
objs.Pods.Items[0].Spec = corev1.PodSpec{
InitContainers: []corev1.Container{
{
Name: "test-container",
Image: "docker.io/nginx",
EnvFrom: []corev1.EnvFromSource{
{
SecretRef: &corev1.SecretEnvSource{
LocalObjectReference: corev1.LocalObjectReference{Name: "secret_foo"},
},
},
},
}},
}
return objs
}
func secretEnvVarValueFromSource() *kube.Objects {
objs := initSecret()
objs.Pods.Items[0].Spec = corev1.PodSpec{
Containers: []corev1.Container{
{
Name: "test-container",
Image: "docker.io/nginx",
Env: []corev1.EnvVar{
{
Name: "special_env_var",
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{Name: "secret_foo"},
},
},
},
},
},
},
}
return objs
}
func initContainerSecretEnvVarValueFromSource() *kube.Objects {
objs := initSecret()
objs.Pods.Items[0].Spec = corev1.PodSpec{
InitContainers: []corev1.Container{
{
Name: "test-container",
Image: "docker.io/nginx",
Env: []corev1.EnvVar{
{
Name: "special_env_var",
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{Name: "secret_foo"},
},
},
},
},
},
},
}
return objs
}
func imagePullSecrets() *kube.Objects {
objs := initSecret()
objs.Pods.Items[0].Spec = corev1.PodSpec{