terraform-ibm-modules/terraform-ibm-mas

Checkov: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"

Opened this issue · 1 comments

padmankosalaram commented

Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"

FAILED for resource: Job.mas-inst1-pipelines.mas-deploy-job
File: /chart/deploy-mas/mas-deploy/templates/01-deploy-mas.yaml:95-327

Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35

padmankosalaram commented

This issue can not be fixed. Please find below the reason.

The helm chart invokes the Job, which spin up a POD which in turns calls mas cli command to install MAS
The POD requires role access to perform various action on different Openshift resources to install MAS. This role access is given via the service account.

Hence it is important to have the service account mounted in this line

terraform-ibm-mas/chart/deploy-mas/templates/01-deploy-mas.yaml

Line 90 in 6ed2eda

serviceAccountName: {{ $sa_name }}