func AddMountedSecretEdges(g osgraph.Graph, podSpec *kubegraph.PodSpecNode) {
//pod specs are always contained. We'll get the toplevel container so that we can pull a namespace from it
containerNode := osgraph.GetTopLevelContainerNode(g, podSpec)
containerObj := g.GraphDescriber.Object(containerNode)
meta, err := kapi.ObjectMetaFor(containerObj.(runtime.Object))
if err != nil {
// this should never happen. it means that a podSpec is owned by a top level container that is not a runtime.Object
panic(err)
}
for _, volume := range podSpec.Volumes {
source := volume.VolumeSource
if source.Secret == nil {
continue
}
// pod secrets must be in the same namespace
syntheticSecret := &kapi.Secret{}
syntheticSecret.Namespace = meta.Namespace
syntheticSecret.Name = source.Secret.SecretName
secretNode := kubegraph.FindOrCreateSyntheticSecretNode(g, syntheticSecret)
g.AddEdge(podSpec, secretNode, MountedSecretEdgeKind)
}
}
func AddMountableSecretEdges(g osgraph.Graph, saNode *kubegraph.ServiceAccountNode) {
for _, mountableSecret := range saNode.ServiceAccount.Secrets {
syntheticSecret := &kapi.Secret{}
syntheticSecret.Namespace = saNode.ServiceAccount.Namespace
syntheticSecret.Name = mountableSecret.Name
secretNode := kubegraph.FindOrCreateSyntheticSecretNode(g, syntheticSecret)
g.AddEdge(saNode, secretNode, MountableSecretEdgeKind)
}
}
