github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/advanced/protecting_pod_service_account_tokens_test.rego (about) 1 package builtin.kubernetes.KSV036 2 3 test_protect_service_account_token_denied_with_automountServiceAccountToken { 4 r := deny with input as { 5 "kind": "pod", 6 "name": "justPOod", 7 "metadata": {"name": "nginx"}, 8 "spec": { 9 "automountServiceAccountToken": true, 10 "containers": [{ 11 "name": "nginx", 12 "image": "nginx", 13 "volumeMounts": [{ 14 "name": "serviceaccount-vm", 15 "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", 16 }], 17 }], 18 }, 19 } 20 21 r[_].msg == "Container of pod 'nginx' should set 'spec.automountServiceAccountToken' to false" 22 } 23 24 test_protect_service_account_token_denied_without_automountServiceAccountToken { 25 r := deny with input as { 26 "kind": "pod", 27 "name": "justPOod", 28 "metadata": {"name": "nginx"}, 29 "spec": {"containers": [{ 30 "name": "nginx", 31 "image": "nginx", 32 "volumeMounts": [{ 33 "name": "serviceaccount-vm", 34 "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", 35 }], 36 }]}, 37 } 38 39 r[_].msg == "Container of pod 'nginx' should set 'spec.automountServiceAccountToken' to false" 40 } 41 42 test_protect_service_account_token_denied_without_mountPath { 43 r := deny with input as { 44 "kind": "pod", 45 "name": "justPOod", 46 "metadata": {"name": "nginx"}, 47 "spec": {"containers": [{ 48 "name": "nginx", 49 "image": "nginx", 50 "volumeMounts": [{"name": "serviceaccount-vm"}], 51 }]}, 52 } 53 54 count(r) == 0 55 } 56 57 test_protect_service_account_token_allow { 58 r := deny with input as { 59 "kind": "pod", 60 "name": "jusPOod", 61 "metadata": {"name": "nginx"}, 62 "spec": { 63 "automountServiceAccountToken": false, 64 "containers": [{ 65 "name": "nginx", 66 "image": "nginx", 67 "volumeMounts": [{ 68 "name": "serviceaccount-vm", 69 "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", 70 }], 71 }], 72 }, 73 } 74 75 count(r) == 0 76 }