// CheckMountedSecrets checks to be sure that all the referenced secrets are mountable (by service account) and present (not synthetic) func CheckMountedSecrets(g osgraph.Graph, dcNode *deploygraph.DeploymentConfigNode) ( /*unmountable secrets*/ []*kubegraph.SecretNode /*unresolved secrets*/, []*kubegraph.SecretNode) { podSpecs := DescendentNodesByNodeKind(g, graphview.IntSet{}, dcNode, kubegraph.PodSpecNodeKind, func(g osgraph.Interface, head, tail graph.Node, edgeKinds util.StringSet) bool { if edgeKinds.Has(osgraph.ContainsEdgeKind) { return true } return false }) if len(podSpecs) > 0 { return kubeanalysis.CheckMountedSecrets(g, podSpecs[0].(*kubegraph.PodSpecNode)) } return []*kubegraph.SecretNode{}, []*kubegraph.SecretNode{} }
func describeBadPodSpecs(out io.Writer, g osgraph.Graph) ([]string, []*kubegraph.SecretNode) { allMissingSecrets := []*kubegraph.SecretNode{} lines := []string{} for _, uncastPodSpec := range g.NodesByKind(kubegraph.PodSpecNodeKind) { podSpecNode := uncastPodSpec.(*kubegraph.PodSpecNode) unmountableSecrets, missingSecrets := kubeanalysis.CheckMountedSecrets(g, podSpecNode) containingNode := osgraph.GetTopLevelContainerNode(g, podSpecNode) allMissingSecrets = append(allMissingSecrets, missingSecrets...) unmountableNames := []string{} for _, secret := range unmountableSecrets { unmountableNames = append(unmountableNames, secret.ResourceString()) } missingNames := []string{} for _, secret := range missingSecrets { missingNames = append(missingNames, secret.ResourceString()) } containingNodeName := g.GraphDescriber.Name(containingNode) if resourceNode, ok := containingNode.(osgraph.ResourceNode); ok { containingNodeName = resourceNode.ResourceString() } switch { case len(unmountableSecrets) > 0 && len(missingSecrets) > 0: lines = append(lines, fmt.Sprintf("\t%s is not allowed to mount %s and wants to mount these missing secrets %s", containingNodeName, strings.Join(unmountableNames, ","), strings.Join(missingNames, ","))) case len(unmountableSecrets) > 0: lines = append(lines, fmt.Sprintf("\t%s is not allowed to mount %s", containingNodeName, strings.Join(unmountableNames, ","))) case len(unmountableSecrets) > 0 && len(missingSecrets) > 0: lines = append(lines, fmt.Sprintf("\t%s wants to mount these missing secrets %s", containingNodeName, strings.Join(missingNames, ","))) } } // if we had any failures, prepend the warning line if len(lines) > 0 { return append([]string{"Warning: some requested secrets are not allowed:"}, lines...), allMissingSecrets } return []string{}, allMissingSecrets }