// CheckMissingMountedSecrets checks to be sure that all the referenced secrets are present (not synthetic) func CheckMissingMountedSecrets(g osgraph.Graph, podSpecNode *kubegraph.PodSpecNode) []*kubegraph.SecretNode { missingSecrets := []*kubegraph.SecretNode{} for _, uncastMountedSecretNode := range g.SuccessorNodesByNodeAndEdgeKind(podSpecNode, kubegraph.SecretNodeKind, kubeedges.MountedSecretEdgeKind) { mountedSecretNode := uncastMountedSecretNode.(*kubegraph.SecretNode) if !mountedSecretNode.Found() { missingSecrets = append(missingSecrets, mountedSecretNode) } } return missingSecrets }
// CheckForUnmountableSecrets checks to be sure that all the referenced secrets are mountable (by service account) func CheckForUnmountableSecrets(g osgraph.Graph, podSpecNode *kubegraph.PodSpecNode) []*kubegraph.SecretNode { saNodes := g.SuccessorNodesByNodeAndEdgeKind(podSpecNode, kubegraph.ServiceAccountNodeKind, kubeedges.ReferencedServiceAccountEdgeKind) saMountableSecrets := []*kubegraph.SecretNode{} if len(saNodes) > 0 { saNode := saNodes[0].(*kubegraph.ServiceAccountNode) for _, secretNode := range g.SuccessorNodesByNodeAndEdgeKind(saNode, kubegraph.SecretNodeKind, kubeedges.MountableSecretEdgeKind) { saMountableSecrets = append(saMountableSecrets, secretNode.(*kubegraph.SecretNode)) } } unmountableSecrets := []*kubegraph.SecretNode{} for _, uncastMountedSecretNode := range g.SuccessorNodesByNodeAndEdgeKind(podSpecNode, kubegraph.SecretNodeKind, kubeedges.MountedSecretEdgeKind) { mountedSecretNode := uncastMountedSecretNode.(*kubegraph.SecretNode) mountable := false for _, mountableSecretNode := range saMountableSecrets { if mountableSecretNode == mountedSecretNode { mountable = true break } } if !mountable { unmountableSecrets = append(unmountableSecrets, mountedSecretNode) continue } } return unmountableSecrets }