Skip to content

Commit

Permalink
Fixing logic
Browse files Browse the repository at this point in the history
Signed-off-by: Amit Schendel <[email protected]>
  • Loading branch information
amitschendel committed Nov 21, 2024
1 parent 3754ae2 commit dc7b638
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 46 deletions.
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ require (
k8s.io/apimachinery v0.31.1
k8s.io/client-go v0.31.1
k8s.io/kubectl v0.31.0
k8s.io/kubelet v0.31.1
k8s.io/utils v0.0.0-20240711033017-18e509b52bc8
sigs.k8s.io/yaml v1.4.0
)
Expand Down Expand Up @@ -252,7 +253,6 @@ require (
k8s.io/cri-api v0.31.1 // indirect
k8s.io/klog/v2 v2.130.1 // indirect
k8s.io/kube-openapi v0.0.0-20240812233141-91dab695df6f // indirect
k8s.io/kubelet v0.31.1 // indirect
oras.land/oras-go/v2 v2.4.0 // indirect
sigs.k8s.io/controller-runtime v0.19.0 // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -168,10 +168,11 @@ func (rule *R0006UnexpectedServiceAccountTokenAccess) ProcessEvent(eventType uti

// Normalize the accessed path once
normalizedAccessedPath := normalizeTokenPath(openEvent.FullPath)
dirPath := filepath.Dir(normalizedAccessedPath)

// Check against whitelisted paths
for _, open := range appProfileOpenList.Opens {
if normalizedAccessedPath == normalizeTokenPath(open.Path) {
if dirPath == filepath.Dir(normalizeTokenPath(open.Path)) {
return nil
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -58,70 +58,62 @@ func TestR0006UnexpectedServiceAccountTokenMount(t *testing.T) {
expectFailure: false,
},

// Basic token access tests - Kubernetes paths
// Directory level whitelist tests
{
name: "basic whitelisted kubernetes token access",
name: "access allowed when directory is whitelisted - token",
event: createTestEvent0006("test", "/run/secrets/kubernetes.io/serviceaccount/token", []string{"O_RDONLY"}),
profile: createTestProfile0006("test", []v1beta1.OpenCalls{{
Path: "/run/secrets/kubernetes.io/serviceaccount/token",
Path: "/run/secrets/kubernetes.io/serviceaccount/namespace",
Flags: []string{"O_RDONLY"},
}}),
expectFailure: false,
expectFailure: false, // Should pass because directory is whitelisted
},
{
name: "unauthorized kubernetes token access",
event: createTestEvent0006("test", "/run/secrets/kubernetes.io/serviceaccount/token", []string{"O_RDONLY"}),
name: "access allowed when directory is whitelisted - ca.crt",
event: createTestEvent0006("test", "/run/secrets/kubernetes.io/serviceaccount/ca.crt", []string{"O_RDONLY"}),
profile: createTestProfile0006("test", []v1beta1.OpenCalls{{
Path: "/some/other/path",
Path: "/run/secrets/kubernetes.io/serviceaccount/token",
Flags: []string{"O_RDONLY"},
}}),
expectFailure: true,
expectFailure: false, // Should pass because directory is whitelisted
},

// EKS token path tests with timestamps
// Tests with EKS paths and timestamps
{
name: "whitelisted eks token access - different timestamps",
name: "whitelisted eks token access with timestamps",
event: createTestEvent0006("test",
"/run/secrets/eks.amazonaws.com/serviceaccount/..2024_11_1111_24_34_58.850095521/token",
[]string{"O_RDONLY"}),
profile: createTestProfile0006("test", []v1beta1.OpenCalls{{
Path: "/run/secrets/eks.amazonaws.com/serviceaccount/..2024_11_21_04_30_58.850095521/token",
Path: "/run/secrets/eks.amazonaws.com/serviceaccount/..2024_11_21_04_30_58.850095521/namespace",
Flags: []string{"O_RDONLY"},
}}),
expectFailure: false,
expectFailure: false, // Should pass because normalized directory matches
},

// Different service account path variants
{
name: "whitelisted eks token access - base path whitelist",
event: createTestEvent0006("test",
"/run/secrets/eks.amazonaws.com/serviceaccount/..2024_11_1111_24_34_58.850095521/token",
[]string{"O_RDONLY"}),
profile: createTestProfile0006("test", []v1beta1.OpenCalls{{
Path: "/run/secrets/eks.amazonaws.com/serviceaccount/token",
Flags: []string{"O_RDONLY"},
}}),
expectFailure: false,
},
// Alternative token files tests
{
name: "whitelisted ca.crt access",
event: createTestEvent0006("test", "/run/secrets/kubernetes.io/serviceaccount/ca.crt", []string{"O_RDONLY"}),
name: "var/run path variant matches run path whitelist",
event: createTestEvent0006("test", "/var/run/secrets/kubernetes.io/serviceaccount/token", []string{"O_RDONLY"}),
profile: createTestProfile0006("test", []v1beta1.OpenCalls{{
Path: "/run/secrets/kubernetes.io/serviceaccount/ca.crt",
Path: "/run/secrets/kubernetes.io/serviceaccount/namespace",
Flags: []string{"O_RDONLY"},
}}),
expectFailure: false,
expectFailure: true, // Should fail because different base path
},

// No whitelisting tests
{
name: "whitelisted namespace access",
event: createTestEvent0006("test", "/run/secrets/kubernetes.io/serviceaccount/namespace", []string{"O_RDONLY"}),
name: "unauthorized token access",
event: createTestEvent0006("test", "/run/secrets/kubernetes.io/serviceaccount/token", []string{"O_RDONLY"}),
profile: createTestProfile0006("test", []v1beta1.OpenCalls{{
Path: "/run/secrets/kubernetes.io/serviceaccount/namespace",
Path: "/some/other/path",
Flags: []string{"O_RDONLY"},
}}),
expectFailure: false,
expectFailure: true,
},

// Container name mismatch tests
// Container mismatch tests
{
name: "different container name",
event: createTestEvent0006("test2", "/run/secrets/kubernetes.io/serviceaccount/token", []string{"O_RDONLY"}),
Expand All @@ -132,17 +124,6 @@ func TestR0006UnexpectedServiceAccountTokenMount(t *testing.T) {
expectFailure: false, // No profile for the container
},

// Alternative path formats
{
name: "var/run path variant",
event: createTestEvent0006("test", "/var/run/secrets/kubernetes.io/serviceaccount/token", []string{"O_RDONLY"}),
profile: createTestProfile0006("test", []v1beta1.OpenCalls{{
Path: "/var/run/secrets/kubernetes.io/serviceaccount/token",
Flags: []string{"O_RDONLY"},
}}),
expectFailure: false,
},

// Edge cases
{
name: "no application profile",
Expand Down

0 comments on commit dc7b638

Please sign in to comment.