search

terraform-ibm-modules / terraform-ibm-mas

Deploys Maximo Application Suite on an IBM Cloud openshift cluster.
Apache License 2.0
2 stars 1 forks source link

Checkov: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary" #100

Open padmankosalaram opened 5 months ago

padmankosalaram commented 5 months ago

Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"

FAILED for resource: Job.mas-inst1-pipelines.mas-deploy-job
File: /chart/deploy-mas/mas-deploy/templates/01-deploy-mas.yaml:95-327

Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35

padmankosalaram commented 5 months ago

This issue can not be fixed. Please find below the reason.

The helm chart invokes the Job, which spin up a POD which in turns calls mas cli command to install MAS The POD requires role access to perform various action on different Openshift resources to install MAS. This role access is given via the service account.

Hence it is important to have the service account mounted in this line https://github.com/terraform-ibm-modules/terraform-ibm-mas/blob/6ed2eda03f34bd579c33b1318aa1b935877dbe50/chart/deploy-mas/templates/01-deploy-mas.yaml#L90