Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Checkov: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary" #100

Open
padmankosalaram opened this issue May 8, 2024 · 1 comment
Open

Checkov: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary" #100

padmankosalaram opened this issue May 8, 2024 · 1 comment
Assignees
@padmankosalaram

Comments

@padmankosalaram
Copy link
Contributor

Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"

FAILED for resource: Job.mas-inst1-pipelines.mas-deploy-job
File: /chart/deploy-mas/mas-deploy/templates/01-deploy-mas.yaml:95-327

Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35
@padmankosalaram padmankosalaram self-assigned this May 8, 2024
@padmankosalaram
Copy link
Contributor Author

This issue can not be fixed. Please find below the reason.

The helm chart invokes the Job, which spin up a POD which in turns calls mas cli command to install MAS
The POD requires role access to perform various action on different Openshift resources to install MAS. This role access is given via the service account.

Hence it is important to have the service account mounted in this line

terraform-ibm-mas/chart/deploy-mas/templates/01-deploy-mas.yaml

Line 90 in 6ed2eda

serviceAccountName: {{ $sa_name }}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@padmankosalaram padmankosalaram

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@padmankosalaram