github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/advanced/protecting_pod_service_account_tokens.rego (about) 1 # METADATA 2 # title: "Protecting Pod service account tokens" 3 # description: "ensure that Pod specifications disable the secret token being mounted by setting automountServiceAccountToken: false" 4 # scope: package 5 # schemas: 6 # - input: schema["kubernetes"] 7 # related_resources: 8 # - https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#serviceaccount-admission-controller 9 # custom: 10 # id: KSV036 11 # avd_id: AVD-KSV-0036 12 # severity: MEDIUM 13 # short_code: no-auto-mount-service-token 14 # recommended_action: "Disable the mounting of service account secret token by setting automountServiceAccountToken to false" 15 # input: 16 # selector: 17 # - type: kubernetes 18 package builtin.kubernetes.KSV036 19 20 import data.lib.kubernetes 21 import data.lib.utils 22 23 mountServiceAccountToken(spec) { 24 utils.has_key(spec, "automountServiceAccountToken") 25 spec.automountServiceAccountToken == true 26 } 27 28 # if there is no automountServiceAccountToken spec, check on volumeMount in containers. Service Account token is mounted on /var/run/secrets/kubernetes.io/serviceaccount 29 mountServiceAccountToken(spec) { 30 not utils.has_key(spec, "automountServiceAccountToken") 31 "/var/run/secrets/kubernetes.io/serviceaccount" == kubernetes.containers[_].volumeMounts[_].mountPath 32 } 33 34 deny[res] { 35 mountServiceAccountToken(input.spec) 36 msg := kubernetes.format(sprintf("Container of %s '%s' should set 'spec.automountServiceAccountToken' to false", [kubernetes.kind, kubernetes.name])) 37 res := result.new(msg, input.spec) 38 }