diff --git a/icekube/attack_paths.py b/icekube/attack_paths.py index 4ea5364..3e6e302 100644 --- a/icekube/attack_paths.py +++ b/icekube/attack_paths.py @@ -57,15 +57,9 @@ def workload_query( """, # Subject -> Secret "ACCESS_SECRET": "MATCH (src)-[:GRANTS_GET|GRANTS_LIST|GRANTS_WATCH]->(dest:Secret)", - # Create SA long lived token - # TODO: Need to account for then having permission to read secret - # "CREATE_SA_TOKEN_VIA_SECRET": "MATCH (src)-[:GRANTS_SECRET_CREATE]->" - # "(ns:Namespace)" - # "<-[:WITHIN_NAMESPACE]-(dest:ServiceAccount)", # Generate service account token "GENERATE_TOKEN": "MATCH (src)-[:GRANTS_TOKEN_CREATE]->(dest:ServiceAccount)", # RBAC escalate verb to change a role to be more permissive - # TODO: expand to roles for other entities "RBAC_ESCALATE_TO": [ # RoleBindings """ @@ -78,7 +72,6 @@ def workload_query( WHERE (src)-[:GRANTS_PERMISSION]->(role) """, ], - # TODO: RBAC Bind # Subject -> User / Group / ServiceAccount "GENERATE_CLIENT_CERTIFICATE": """ MATCH (src)-[:GRANTS_CERTIFICATESIGNINGREQUESTS_CREATE]->(cluster:Cluster), (dest) diff --git a/icekube/models/pod.py b/icekube/models/pod.py index b01fcb1..981779c 100644 --- a/icekube/models/pod.py +++ b/icekube/models/pod.py @@ -172,7 +172,6 @@ def dangerous_host_path(self) -> bool: # Not all of these give direct node compromise, but will grant enough # permissions to maybe steal certificates to help with API server # as the node, or the like - # TODO: account for wildcards for /home/*/.ssh/, etc dangerous_paths = [ "/etc/kubernetes/admin.conf", "/etc/kubernetes/kubeconfig", @@ -248,7 +247,7 @@ def relationships( initial: bool = True, ) -> List[RELATIONSHIP]: relationships = super().relationships() - # TODO: Also check if mounted + if self.service_account: relationships += [(self, "USES_ACCOUNT", self.service_account)] if self.node: