You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
items =json(command:"kubectl get rolebinding,clusterrolebinding --all-namespaces -o json").params['items']
control "test" do
items.each do |i|
next if i['subjects'].nil?
describe "service accounts for clusterrolebinding:#{i['roleRef']['name']}" do
subject {i['subjects'].map{|x| x['name']}}
it { should_not include 'default'}
end
end
end
items =json(command:"kubectl get serviceaccount -A -o json").params['items']
control "test" do
items.each do |i|
next unless i['metadata']['name'].eql?('default')
describe "Default service account in namespace:#{i['metadata']['namespace']}" do
subject {i}
its(['automountServiceAccountToken']) { should cmp 'false'}
end
end
end
Please consider if the above model is a cleaner implementation for ur check in 4.1.6 ... although ur current version works fine ...the above might make for better reporting.
The text was updated successfully, but these errors were encountered:
This makes sense, but the first block should be restricted to only check actual service account rolebinding objects:
bindings = json(command:"kubectl get rolebinding,clusterrolebinding --all-namespaces -o json").params['items']
bindings.each do |binding|
subjects = binding['subjects']
next if subjects.nil?
sa = subjects.find { |x| x['kind'] == 'ServiceAccount'}
next if sa.nil?
describe "Service account for clusterrolebinding: #{binding['roleRef']['name']}" do
subject { sa['name'] }
it { should_not eq 'default' }
end
end
It still has to check a ton of objects, but fewer than if you don't filter down to only service account rolebindings.
The second block I'm fine with; I will leave 4.1.6's logic alone for now.
eks-cis-cluster-baseline/controls/eks-cis-4.1.5.rb
Line 54 in 58666ba
Possible automation
Please consider if the above model is a cleaner implementation for ur check in
4.1.6
... although ur current version works fine ...the above might make for better reporting.The text was updated successfully, but these errors were encountered: