search

Shopify / kubeaudit

kubeaudit helps you audit your Kubernetes clusters against common security controls
MIT License
1.9k stars 183 forks source link

Generate automount error when naming configuration file with 3 dash (---) #591

Open sekveaja opened 3 months ago

sekveaja commented 3 months ago
ISSUE TYPE

1) We observe that naming with 3 dash (---) or plus for the configuration name in the yaml file, it generates error. In example ---RELEASE_NAME--- configurationName: acme-sys-function---RELEASE-NAME---12-34-56

Error: [error] AutomountServiceAccountTokenTrueAndDefaultSA Message: Default service account with token mounted. automountServiceAccountToken should be set to 'false' on either the ServiceAccount or on the PodSpec or a non-default service account should be used.

2) If name with 2 dash "--" configurationName: acme-sys-function--RELEASE-NAME--12-34-56

No Error is generated. $ kubeaudit all -f ./test_manifest.yaml_2_dash [WARNING]: kubernetes.io for override labels will soon be deprecated. Please, update them to use kubeaudit.io instead. All checks completed. 0 high-risk vulnerabilities found

3) If name with 1 dash "-" configurationName: acme-sys-function-RELEASE-NAME-12-34-56

No Error is generated. $ kubeaudit all -f ./test_manifest.yaml_1_dash [WARNING]: kubernetes.io for override labels will soon be deprecated. Please, update them to use kubeaudit.io instead. All checks completed. 0 high-risk vulnerabilities found

We shouldn't have limitation when refer to a configuration file. Please advice, if there is an error in the functionality of Kubeaudit.

ENVIRONMENT
STEPS TO REPRODUCE

1) Edit or vi test_manifest.yaml Add the following contents:

--- # Source: acms-test/templates/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: acms-test-1 labels: traf_enable: active annotations: configurationName: acme-sys-function---RELEASE-NAME---12-34-56 spec: replicas: 1 strategy: type: RollingUpdate rollingUpdate: maxSurge: 0 selector: matchLabels: app.kubernetes.io/name: acms-test template: metadata: labels: acms-test/pod-type: sys-test annotations: adapt.acme.com/serviceconf_port: "8000" acme.com/service-id: "acme-sys-function---RELEASE-NAME---12-34-56"

2) Save and test kubeaudit all -f ./test_manifest.yaml

 Expected Result: 

---------------- Results for ---------------

apiVersion: apps/v1 kind: Deployment metadata: name: acms-test-1

-- [error] AutomountServiceAccountTokenTrueAndDefaultSA Message: Default service account with token mounted. automountServiceAccountToken should be set to 'false' on either the ServiceAccount or on the PodSpecor a non-default service account should be used.

3) Edit and change this line as follow with 2 dash configurationName: acme-sys-function--RELEASE-NAME--12-34-56

4) Test kubeaudit all -f ./test_manifest.yaml

Expected Result: All checks completed. 0 high-risk vulnerabilities found

github-actions[bot] commented 3 months ago

Thanks for opening your first issue here! Be sure to follow the issue template!