Possible automation for 4.1.5

[rx294]

eks-cis-cluster-baseline/controls/eks-cis-4.1.5.rb

Line 54 in 58666ba

describe 'Manual control' do

Possible automation

items =json(command:"kubectl get rolebinding,clusterrolebinding --all-namespaces -o json").params['items']

control "test" do
items.each do |i|
  next if i['subjects'].nil?
  describe "service accounts for clusterrolebinding:#{i['roleRef']['name']}" do
    subject {i['subjects'].map{|x| x['name']}}
    it { should_not include 'default'}
  end
end
end


items =json(command:"kubectl get serviceaccount -A -o json").params['items']

control "test" do
items.each do |i|
  next unless i['metadata']['name'].eql?('default')
  describe "Default service account in namespace:#{i['metadata']['namespace']}" do
    subject {i}
    its(['automountServiceAccountToken']) { should cmp 'false'}
  end
end
end

Please consider if the above model is a cleaner implementation for ur check in 4.1.6 ... although ur current version works fine ...the above might make for better reporting.

[wdower]

This makes sense, but the first block should be restricted to only check actual service account rolebinding objects:

  bindings = json(command:"kubectl get rolebinding,clusterrolebinding --all-namespaces -o json").params['items']

  bindings.each do |binding|

    subjects = binding['subjects']
    next if subjects.nil?
    sa = subjects.find { |x| x['kind'] == 'ServiceAccount'}
    next if sa.nil?

    describe "Service account for clusterrolebinding: #{binding['roleRef']['name']}" do
      subject { sa['name'] }
      it { should_not eq 'default' }
    end
  end

It still has to check a ton of objects, but fewer than if you don't filter down to only service account rolebindings.

The second block I'm fine with; I will leave 4.1.6's logic alone for now.