PaloAltoNetworks / rbac-police

Evaluate the RBAC permissions of Kubernetes identities through policies written in Rego
https://www.paloaltonetworks.com/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms
MIT License
335 stars 35 forks source link

Don't alert on `list secrets` when SA tokens aren't stored as secrets #3

Closed yuvalavra closed 2 years ago

yuvalavra commented 2 years ago

With KEP-2799: Reduction of Secret-based Service Account Tokens, starting from 1.24, k8s won't automatically store serviceAccount tokens as secrets. In the future with LegacyServiceAccountTokenCleanUp, SA token secrets that were previously generated will be automatically deleted.

rbac-police should identify when SA tokens aren't stored as secrets and drop violations from retrieve_secrets.rego