fix(query): k8s rule service_account_token_automount_not_disabled sho…

…uld also consider automount option in ServiceAccount (#4887)

assets/queries/k8s/service_account_token_automount_not_disabled/query.rego

@@ -1,46 +1,76 @@
 package Cx
 
-import data.generic.k8s as k8sLib
 import data.generic.common as common_lib
+import data.generic.k8s as k8sLib
 
 listKinds := ["Pod", "Deployment", "DaemonSet", "StatefulSet", "ReplicaSet", "ReplicationController", "Job", "CronJob"]
 
 CxPolicy[result] {
 	document := input.document[i]
+	k8sLib.checkKind(document.kind, listKinds)
+	metadata := document.metadata
 
-	kind := document.kind
-	k8sLib.checkKind(kind, listKinds)
+	specInfo := k8sLib.getSpecInfo(document)
+	result := checkAutomount(specInfo, document, metadata)
+}
 
+CxPolicy[result] {
+	document := input.document[i]
+	k8sLib.checkKind(document.kind, listKinds)
 	metadata := document.metadata
+
 	specInfo := k8sLib.getSpecInfo(document)
 
 	not common_lib.valid_key(specInfo.spec, "automountServiceAccountToken")
 
+	serviceAccountName := object.get(specInfo.spec, "serviceAccountName", "default")
+	SAWithAutoMount := [x | res := input.document[_];
+		res.kind == "ServiceAccount";
+		res.metadata.name == serviceAccountName;
+		common_lib.valid_key(res, "automountServiceAccountToken")
+		x := res
+	]
+	count(SAWithAutoMount) == 0
+
 	result := {
-		"documentId": input.document[i].id,
+		"documentId": document.id,
 		"searchKey": sprintf("metadata.name={{%s}}.%s", [metadata.name, specInfo.path]),
 		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("'%s.automountServiceAccountToken' is false", [specInfo.path]),
-		"keyActualValue": sprintf("'%s.automountServiceAccountToken' is undefined", [specInfo.path]),
+		"keyExpectedValue": sprintf("metadata.name={{%s}}.%s.automountServiceAccountToken is defined and set to false", [metadata.name, specInfo.path]),
+		"keyActualValue": sprintf("metadata.name={{%s}}.%s.automountServiceAccountToken is undefined", [metadata.name, specInfo.path]),
 	}
 }
 
-CxPolicy[result] {
-	document := input.document[i]
+# If automountServiceAccountToken is defined at pod level, it takes precedence over a SA definition
+checkAutomount(specInfo, document, metadata) = result {
+	specInfo.spec.automountServiceAccountToken == true
 
-	kind := document.kind
-	k8sLib.checkKind(kind, listKinds)
+	result := {
+		"documentId": document.id,
+		"searchKey": sprintf("metadata.name={{%s}}.%s.automountServiceAccountToken", [metadata.name, specInfo.path]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("metadata.name={{%s}}.%s.automountServiceAccountToken is false", [metadata.name, specInfo.path]),
+		"keyActualValue": sprintf("metadata.name={{%s}}.%s.automountServiceAccountToken is true", [metadata.name, specInfo.path]),
+	}
+}
 
-	metadata := document.metadata
-	specInfo := k8sLib.getSpecInfo(document)
+checkAutomount(specInfo, document, metadata) = result {
+	not common_lib.valid_key(specInfo.spec, "automountServiceAccountToken")
+	serviceAccountName := object.get(specInfo.spec, "serviceAccountName", "default")
 
-	specInfo.spec.automountServiceAccountToken == true
+	SAWithAutoMount := [x | res := input.document[_];
+		res.kind == "ServiceAccount";
+		res.metadata.name == serviceAccountName;
+		res.automountServiceAccountToken == true;
+		x := res
+	]
+	count(SAWithAutoMount) > 0
 
 	result := {
-		"documentId": input.document[i].id,
-		"searchKey": sprintf("metadata.name={{%s}}.%s.automountServiceAccountToken", [metadata.name, specInfo.path]),
+		"documentId": SAWithAutoMount[k].id,
+		"searchKey": sprintf("metadata.name={{%s}}.automountServiceAccountToken", [SAWithAutoMount[k].metadata.name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("'%s.automountServiceAccountToken' is false", [specInfo.path]),
-		"keyActualValue": sprintf("'%s.automountServiceAccountToken' is true", [specInfo.path]),
+		"keyExpectedValue": sprintf("metadata.name={{%s}}.automountServiceAccountToken is false", [SAWithAutoMount[k].metadata.name]),
+		"keyActualValue": sprintf("metadata.name={{%s}}.automountServiceAccountToken is true", [SAWithAutoMount[k].metadata.name]),
 	}
 }

assets/queries/k8s/service_account_token_automount_not_disabled/test/negative2.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: redistest-sa
+automountServiceAccountToken: false
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: demoenv
+  labels:
+    app: redis
+spec:
+  selector:
+    matchLabels:
+      app: redis
+  template:
+    metadata:      
+      labels:
+        app: redis
+    spec:
+      serviceAccountName: redistest-sa
+      containers:
+      - name: redis
+        image: redis:latest

assets/queries/k8s/service_account_token_automount_not_disabled/test/positive2.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: redistest-sa
+automountServiceAccountToken: true
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: demoenv
+  labels:
+    app: redis
+spec:
+  selector:
+    matchLabels:
+      app: redis
+  template:
+    metadata:      
+      labels:
+        app: redis
+    spec:
+      serviceAccountName: redistest-sa
+      containers:
+      - name: redis
+        image: redis:latest

assets/queries/k8s/service_account_token_automount_not_disabled/test/positive_expected_result.json

@@ -2,11 +2,19 @@
 	{
 		"queryName": "Service Account Token Automount Not Disabled",
 		"severity": "MEDIUM",
-		"line": 5
+		"line": 5,
+    "fileName": "positive1.yaml"
   },
   {
 		"queryName": "Service Account Token Automount Not Disabled",
 		"severity": "MEDIUM",
-		"line": 28
+		"line": 28,
+    "fileName": "positive1.yaml"
+	},
+  {
+		"queryName": "Service Account Token Automount Not Disabled",
+		"severity": "MEDIUM",
+		"line": 5,
+    "fileName": "positive2.yaml"
 	}
 ]