Merge pull request #108 from varshavaradarajan/unused-secret-sa

unused secrets check - check if secret is referenced in service accounts
2021-01-05 12:48:20 -08:00 · 2021-01-05 12:48:20 -08:00 · ed20e47e10
parent ad20fc18c8 3c3921eadf
commit ed20e47e10
2 changed files with 64 additions and 1 deletions
--- a/checks/basic/unused_secrets.go
+++ b/checks/basic/unused_secrets.go
@ -123,6 +123,30 @@ func checkReferences(objects *kube.Objects) (map[kube.Identifier]struct{}, error
 		})
 	}

+	if err := g.Wait(); err != nil {
+		return nil, err
+	}
+
+	for _, sa := range objects.ServiceAccounts.Items {
+		sa := sa
+		namespace := sa.Namespace
+
+		g.Go(func() error {
+			for _, imageSecret := range sa.ImagePullSecrets {
+				mu.Lock()
+				used[kube.Identifier{Name: imageSecret.Name, Namespace: namespace}] = empty
+				mu.Unlock()
+			}
+
+			for _, secret := range sa.Secrets {
+				mu.Lock()
+				used[kube.Identifier{Name: secret.Name, Namespace: namespace}] = empty
+				mu.Unlock()
+			}
+			return nil
+		})
+	}
+
 	return used, g.Wait()
 }

--- a/checks/basic/unused_secrets_test.go
+++ b/checks/basic/unused_secrets_test.go
@ -50,7 +50,7 @@ func TestUnusedSecretWarning(t *testing.T) {
 	}{
 		{
 			name:     "no secrets",
-			objs:     &kube.Objects{Pods: &corev1.PodList{}, Secrets: &corev1.SecretList{}},
+			objs:     &kube.Objects{Pods: &corev1.PodList{}, Secrets: &corev1.SecretList{}, ServiceAccounts: &corev1.ServiceAccountList{}},
 			expected: nil,
 		},
 		{
@ -83,6 +83,16 @@ func TestUnusedSecretWarning(t *testing.T) {
 			objs:     imagePullSecrets(),
 			expected: nil,
 		},
+		{
+			name:     "sa with image pull secrets",
+			objs:     saImagePullSecrets(),
+			expected: nil,
+		},
+		{
+			name:     "sa with secrets refs",
+			objs:     saSecretRefs(),
+			expected: nil,
+		},
 		{
 			name:     "projected volume references secret",
 			objs:     secretProjection(),
@ -130,6 +140,14 @@ func initSecret() *kube.Objects {
 				},
 			},
 		},
+		ServiceAccounts: &corev1.ServiceAccountList{
+			Items: []corev1.ServiceAccount{
+				{
+					TypeMeta: metav1.TypeMeta{Kind: "ServiceAccount", APIVersion: "v1"},
+					ObjectMeta: metav1.ObjectMeta{Name: "default", Namespace: "k8s"},
+				},
+			},
+		},
 	}
 	return objs
 }
@ -270,3 +288,24 @@ func imagePullSecrets() *kube.Objects {
 	}
 	return objs
 }
+
+func saImagePullSecrets() *kube.Objects {
+	objs := initSecret()
+	objs.ServiceAccounts.Items[0].ImagePullSecrets = []corev1.LocalObjectReference{
+		{
+			Name: "secret_foo",
+		},
+	}
+	return objs
+}
+
+func saSecretRefs() *kube.Objects {
+	objs := initSecret()
+	objs.ServiceAccounts.Items[0].Secrets = []corev1.ObjectReference{
+		{
+			Name: "secret_foo",
+			Namespace: "k8s",
+		},
+	}
+	return objs
+}