Merge pull request #108 from varshavaradarajan/unused-secret-sa
unused secrets check - check if secret is referenced in service accountssdas/webhooks-timeout-seconds
commit
ed20e47e10
|
@ -123,6 +123,30 @@ func checkReferences(objects *kube.Objects) (map[kube.Identifier]struct{}, error
|
|||
})
|
||||
}
|
||||
|
||||
if err := g.Wait(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
for _, sa := range objects.ServiceAccounts.Items {
|
||||
sa := sa
|
||||
namespace := sa.Namespace
|
||||
|
||||
g.Go(func() error {
|
||||
for _, imageSecret := range sa.ImagePullSecrets {
|
||||
mu.Lock()
|
||||
used[kube.Identifier{Name: imageSecret.Name, Namespace: namespace}] = empty
|
||||
mu.Unlock()
|
||||
}
|
||||
|
||||
for _, secret := range sa.Secrets {
|
||||
mu.Lock()
|
||||
used[kube.Identifier{Name: secret.Name, Namespace: namespace}] = empty
|
||||
mu.Unlock()
|
||||
}
|
||||
return nil
|
||||
})
|
||||
}
|
||||
|
||||
return used, g.Wait()
|
||||
}
|
||||
|
||||
|
|
|
@ -50,7 +50,7 @@ func TestUnusedSecretWarning(t *testing.T) {
|
|||
}{
|
||||
{
|
||||
name: "no secrets",
|
||||
objs: &kube.Objects{Pods: &corev1.PodList{}, Secrets: &corev1.SecretList{}},
|
||||
objs: &kube.Objects{Pods: &corev1.PodList{}, Secrets: &corev1.SecretList{}, ServiceAccounts: &corev1.ServiceAccountList{}},
|
||||
expected: nil,
|
||||
},
|
||||
{
|
||||
|
@ -83,6 +83,16 @@ func TestUnusedSecretWarning(t *testing.T) {
|
|||
objs: imagePullSecrets(),
|
||||
expected: nil,
|
||||
},
|
||||
{
|
||||
name: "sa with image pull secrets",
|
||||
objs: saImagePullSecrets(),
|
||||
expected: nil,
|
||||
},
|
||||
{
|
||||
name: "sa with secrets refs",
|
||||
objs: saSecretRefs(),
|
||||
expected: nil,
|
||||
},
|
||||
{
|
||||
name: "projected volume references secret",
|
||||
objs: secretProjection(),
|
||||
|
@ -130,6 +140,14 @@ func initSecret() *kube.Objects {
|
|||
},
|
||||
},
|
||||
},
|
||||
ServiceAccounts: &corev1.ServiceAccountList{
|
||||
Items: []corev1.ServiceAccount{
|
||||
{
|
||||
TypeMeta: metav1.TypeMeta{Kind: "ServiceAccount", APIVersion: "v1"},
|
||||
ObjectMeta: metav1.ObjectMeta{Name: "default", Namespace: "k8s"},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
return objs
|
||||
}
|
||||
|
@ -270,3 +288,24 @@ func imagePullSecrets() *kube.Objects {
|
|||
}
|
||||
return objs
|
||||
}
|
||||
|
||||
func saImagePullSecrets() *kube.Objects {
|
||||
objs := initSecret()
|
||||
objs.ServiceAccounts.Items[0].ImagePullSecrets = []corev1.LocalObjectReference{
|
||||
{
|
||||
Name: "secret_foo",
|
||||
},
|
||||
}
|
||||
return objs
|
||||
}
|
||||
|
||||
func saSecretRefs() *kube.Objects {
|
||||
objs := initSecret()
|
||||
objs.ServiceAccounts.Items[0].Secrets = []corev1.ObjectReference{
|
||||
{
|
||||
Name: "secret_foo",
|
||||
Namespace: "k8s",
|
||||
},
|
||||
}
|
||||
return objs
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue