/
service_account.go
116 lines (102 loc) · 3.12 KB
/
service_account.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
package unused
import (
"github.com/open-kingfisher/king-inspect/check"
corev1 "k8s.io/api/core/v1"
)
func init() {
check.Register(&serviceAccountCheck{})
}
type serviceAccountCheck struct{}
// Name 返回此检查的唯一名称
func (c *serviceAccountCheck) Name() string {
return "unused-service-account"
}
// Groups 返回此检查应属于的组名列表
func (c *serviceAccountCheck) Groups() []string {
return []string{"unused"}
}
// Description 返回此检查的描述信息
func (c *serviceAccountCheck) Description() string {
return "检查集群中没用使用的ServiceAccount"
}
// Run 运行这个检查
func (c *serviceAccountCheck) Run(objects *check.Objects) ([]check.Diagnostic, check.Summary, error) {
var diagnostics []check.Diagnostic
used, err := check.CRBReferences(objects, "ServiceAccount")
if err != nil {
return nil, check.Summary{}, err
}
rb, err := check.RBReferences(objects, "ServiceAccount")
if err != nil {
return nil, check.Summary{}, err
}
pod, err := check.PodSAReferences(objects)
if err != nil {
return nil, check.Summary{}, err
}
for k, v := range rb {
used[k] = v
}
for k, v := range pod {
used[k] = v
}
var summary check.Summary
summary.Total = len(objects.ServiceAccounts.Items)
for _, sa := range objects.ServiceAccounts.Items {
if c.checkMounts(&sa) && check.IsEnabled(c.Name(), &sa.ObjectMeta) {
sa := sa
d := check.Diagnostic{
Severity: check.Warning,
Message: check.Message[207],
Kind: check.ServiceAccount,
Object: &sa.ObjectMeta,
Owners: sa.ObjectMeta.GetOwnerReferences(),
}
diagnostics = append(diagnostics, d)
}
//if ok, name, namespace:= c.checkSecretRefs(&sa, objects); ok {
// summary.Issue += 1
// summary.Warning += 1
// sa := sa
// d := check.Diagnostic{
// Severity: check.Warning,
// Message: fmt.Sprintf(check.Message[208], namespace, name),
// Kind: check.ServiceAccount,
// Object: &sa.ObjectMeta,
// Owners: sa.ObjectMeta.GetOwnerReferences(),
// }
// diagnostics = append(diagnostics, d)
//}
if _, ok := used[check.Identifier{Name: sa.GetName(), Namespace: sa.GetNamespace()}]; !ok && check.IsEnabled(c.Name(), &sa.ObjectMeta) {
sa := sa
d := check.Diagnostic{
Severity: check.Warning,
Message: check.Message[206],
Kind: check.ServiceAccount,
Object: &sa.ObjectMeta,
Owners: sa.ObjectMeta.GetOwnerReferences(),
}
diagnostics = append(diagnostics, d)
}
}
summary.Issue = len(diagnostics)
summary.Warning = summary.Issue
return diagnostics, summary, nil
}
func (c *serviceAccountCheck) checkMounts(sa *corev1.ServiceAccount) bool {
if sa.AutomountServiceAccountToken != nil && *sa.AutomountServiceAccountToken {
return true
}
return false
}
//func (c *serviceAccountCheck) checkSecretRefs(sa *corev1.ServiceAccount, objects *check.Objects) (bool, string, string) {
// used, _ := check.SecretReferences(objects)
// for _, s := range sa.Secrets {
// if s.Namespace != "" {
// if _, ok := used[check.Identifier{Name: s.Name, Namespace: s.Namespace}]; !ok {
// return true, s.Name, s.Namespace
// }
// }
// }
// return false, "", ""
//}