Support secret detection in init containers

TODO.md

@@ -1,22 +1,14 @@
 * If the role trust policy has no :aud conditions, check anyway
 
-* Check for secrets in:
-	Env variables (including deployments etc)
-	ConfigMaps
-	Secrets
+
 
 
 * Exposed through ALBs
 
-* Support multiple output formats
 
 * Interactive prompt for cluster name or provide from environment
-* Secret types: 
-
 
 
-* IMDS
 * ALB exposed
 * VALIDATE CREDS
 * LOOK FOR NOT ONLY AWS CREDS
-* * INITI CONTAINERS AND EPHEMERAL CONTAINERS

pkg/managed-kubernetes-auditing-toolkit/eks/secrets/pod.go

@@ -8,34 +8,45 @@ import (
 func findSecretsInSinglePodDefinition(pod *v1.Pod) []*SecretInfo {
 	var secrets []*SecretInfo
 	for _, container := range pod.Spec.Containers {
-		var accessKeyInfo *SecretInfo
-		var secretKeyInfo *SecretInfo
+		secrets = append(secrets, findSecretsInContainerDefinition(pod, &container)...)
+	}
+	for _, container := range pod.Spec.InitContainers {
+		secrets = append(secrets, findSecretsInContainerDefinition(pod, &container)...)
+	}
+	return secrets
+}
 
-		for _, env := range container.Env {
-			foundCredentials := FindAwsCredentialsInUnstructuredString(env.Value)
-			if foundCredentials.AccessKey != "" {
-				accessKeyInfo = &SecretInfo{
-					Namespace: pod.Namespace,
-					Name:      fmt.Sprintf("%s (environment variable %s)", pod.Name, env.Name),
-					Type:      "Pod",
-					Value:     foundCredentials.AccessKey,
-				}
-			}
-			if foundCredentials.SecretKey != "" {
-				secretKeyInfo = &SecretInfo{
-					Namespace: pod.Namespace,
-					Name:      fmt.Sprintf("%s (environment variable %s)", pod.Name, env.Name),
-					Type:      "Pod",
-					Value:     foundCredentials.SecretKey,
-				}
+func findSecretsInContainerDefinition(pod *v1.Pod, container *v1.Container) []*SecretInfo {
+	var secrets []*SecretInfo
+
+	var accessKeyInfo *SecretInfo
+	var secretKeyInfo *SecretInfo
+
+	for _, env := range container.Env {
+		foundCredentials := FindAwsCredentialsInUnstructuredString(env.Value)
+		if foundCredentials.AccessKey != "" {
+			accessKeyInfo = &SecretInfo{
+				Namespace: pod.Namespace,
+				Name:      fmt.Sprintf("%s (environment variable %s)", pod.Name, env.Name),
+				Type:      "Pod",
+				Value:     foundCredentials.AccessKey,
 			}
-			if accessKeyInfo != nil && secretKeyInfo != nil {
-				secrets = append(secrets, accessKeyInfo, secretKeyInfo)
-				// start searching for a new set of credentials
-				accessKeyInfo = nil
-				secretKeyInfo = nil
+		}
+		if foundCredentials.SecretKey != "" {
+			secretKeyInfo = &SecretInfo{
+				Namespace: pod.Namespace,
+				Name:      fmt.Sprintf("%s (environment variable %s)", pod.Name, env.Name),
+				Type:      "Pod",
+				Value:     foundCredentials.SecretKey,
 			}
 		}
+		if accessKeyInfo != nil && secretKeyInfo != nil {
+			secrets = append(secrets, accessKeyInfo, secretKeyInfo)
+			// start searching for a new set of credentials
+			accessKeyInfo = nil
+			secretKeyInfo = nil
+		}
 	}
+
 	return secrets
 }

pkg/managed-kubernetes-auditing-toolkit/eks/secrets/pod_test.go

@@ -18,6 +18,10 @@ func podWithEnvironmentVariables(env map[string]string) *v1.Pod {
 	return &v1.Pod{Spec: v1.PodSpec{Containers: []v1.Container{{Env: makeContainerEnv(env)}}}}
 }
 
+func podWithEnvironmentVariablesInInitContainer(env map[string]string) *v1.Pod {
+	return &v1.Pod{Spec: v1.PodSpec{Containers: []v1.Container{{Name: "foo"}}, InitContainers: []v1.Container{{Name: "bar", Env: makeContainerEnv(env)}}}}
+}
+
 func TestDetectsSecretsInPods(t *testing.T) {
 	scenarios := []struct {
 		Name             string
@@ -77,6 +81,18 @@ func TestDetectsSecretsInPods(t *testing.T) {
 			}}},
 			ShouldFindSecret: false,
 		},
+		{
+			Name: "an access key and a secret key in an init container",
+			Pod: podWithEnvironmentVariablesInInitContainer(map[string]string{
+				"access": "AKIAZ3MSJV4WWNKWW5FG",
+				"secret": "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",
+			}),
+			ShouldFindSecret: true,
+			MatchedSecrets: []string{
+				"AKIAZ3MSJV4WWNKWW5FG",
+				"HP8lBRs8X50F/0nCAXqEPQ95+jlG/0pLdlNui2XF",
+			},
+		},
 	}
 
 	for _, scenario := range scenarios {