From 3c3921eadfca74e07ea02fbd90d9830d4eca59f7 Mon Sep 17 00:00:00 2001
From: Varsha Varadarajan <varshasvaradarajan@gmail.com>
Date: Mon, 21 Dec 2020 14:57:58 -0800
Subject: [PATCH] unused secrets check - check if secret is referenced in
 service accounts

---
 checks/basic/unused_secrets.go      | 24 +++++++++++++++++
 checks/basic/unused_secrets_test.go | 41 ++++++++++++++++++++++++++++-
 2 files changed, 64 insertions(+), 1 deletion(-)

diff --git a/checks/basic/unused_secrets.go b/checks/basic/unused_secrets.go
index 63c5efd..7d47b51 100644
--- a/checks/basic/unused_secrets.go
+++ b/checks/basic/unused_secrets.go
@@ -123,6 +123,30 @@ func checkReferences(objects *kube.Objects) (map[kube.Identifier]struct{}, error
 		})
 	}
 
+	if err := g.Wait(); err != nil {
+		return nil, err
+	}
+
+	for _, sa := range objects.ServiceAccounts.Items {
+		sa := sa
+		namespace := sa.Namespace
+
+		g.Go(func() error {
+			for _, imageSecret := range sa.ImagePullSecrets {
+				mu.Lock()
+				used[kube.Identifier{Name: imageSecret.Name, Namespace: namespace}] = empty
+				mu.Unlock()
+			}
+
+			for _, secret := range sa.Secrets {
+				mu.Lock()
+				used[kube.Identifier{Name: secret.Name, Namespace: namespace}] = empty
+				mu.Unlock()
+			}
+			return nil
+		})
+	}
+
 	return used, g.Wait()
 }
 
diff --git a/checks/basic/unused_secrets_test.go b/checks/basic/unused_secrets_test.go
index 335ed57..2eda802 100644
--- a/checks/basic/unused_secrets_test.go
+++ b/checks/basic/unused_secrets_test.go
@@ -50,7 +50,7 @@ func TestUnusedSecretWarning(t *testing.T) {
 	}{
 		{
 			name:     "no secrets",
-			objs:     &kube.Objects{Pods: &corev1.PodList{}, Secrets: &corev1.SecretList{}},
+			objs:     &kube.Objects{Pods: &corev1.PodList{}, Secrets: &corev1.SecretList{}, ServiceAccounts: &corev1.ServiceAccountList{}},
 			expected: nil,
 		},
 		{
@@ -83,6 +83,16 @@ func TestUnusedSecretWarning(t *testing.T) {
 			objs:     imagePullSecrets(),
 			expected: nil,
 		},
+		{
+			name:     "sa with image pull secrets",
+			objs:     saImagePullSecrets(),
+			expected: nil,
+		},
+		{
+			name:     "sa with secrets refs",
+			objs:     saSecretRefs(),
+			expected: nil,
+		},
 		{
 			name:     "projected volume references secret",
 			objs:     secretProjection(),
@@ -130,6 +140,14 @@ func initSecret() *kube.Objects {
 				},
 			},
 		},
+		ServiceAccounts: &corev1.ServiceAccountList{
+			Items: []corev1.ServiceAccount{
+				{
+					TypeMeta: metav1.TypeMeta{Kind: "ServiceAccount", APIVersion: "v1"},
+					ObjectMeta: metav1.ObjectMeta{Name: "default", Namespace: "k8s"},
+				},
+			},
+		},
 	}
 	return objs
 }
@@ -269,3 +287,24 @@ func imagePullSecrets() *kube.Objects {
 	}
 	return objs
 }
+
+func saImagePullSecrets() *kube.Objects {
+	objs := initSecret()
+	objs.ServiceAccounts.Items[0].ImagePullSecrets = []corev1.LocalObjectReference{
+		{
+			Name: "secret_foo",
+		},
+	}
+	return objs
+}
+
+func saSecretRefs() *kube.Objects {
+	objs := initSecret()
+	objs.ServiceAccounts.Items[0].Secrets = []corev1.ObjectReference{
+		{
+			Name: "secret_foo",
+			Namespace: "k8s",
+		},
+	}
+	return objs
+}