Update to detect image pull secrets (#124)

Co-authored-by: micnncim <[email protected]>
micnncim · Jun 13, 2022 · cd0d9c0 · cd0d9c0
1 parent 24788a0
commit cd0d9c0
Show file tree

Hide file tree

Showing 2 changed files with 70 additions and 0 deletions.
diff --git a/pkg/determiner/determiner.go b/pkg/determiner/determiner.go
@@ -291,6 +291,10 @@ func (d *determiner) detectUsedSecrets(sas []*corev1.ServiceAccount) map[string]
 
 	// Add Secrets used by Pods
 	for _, pod := range d.pods {
+		for _, imagePullSecret := range pod.Spec.ImagePullSecrets {
+			usedSecrets[imagePullSecret.Name] = struct{}{}
+		}
+
 		for _, container := range pod.Spec.Containers {
 			for _, envFrom := range container.EnvFrom {
 				if envFrom.SecretRef != nil {

diff --git a/pkg/determiner/determiner_test.go b/pkg/determiner/determiner_test.go
@@ -688,3 +688,69 @@ func Test_determiner_determineUsedPodDisruptionBudget(t *testing.T) {
 		})
 	}
 }
+func Test_determiner_determineUsedSecret(t *testing.T) {
+	const (
+		fakeSecret = "fake-secret"
+	)
+	type fields struct {
+		pods []*corev1.Pod
+	}
+	type args struct {
+		secret string
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		want   map[string]struct{}
+	}{
+		{
+			name: "secrets used in ImagePullSecret should be determined as used",
+			fields: fields{
+				pods: []*corev1.Pod{
+					{
+						Spec: corev1.PodSpec{
+							ImagePullSecrets: []corev1.LocalObjectReference{{fakeSecret}}},
+					},
+				},
+			},
+			args: args{
+				secret: fakeSecret,
+			},
+			want: map[string]struct{}{fakeSecret: {}},
+		},
+		{
+			name: "secrets used in EnvFrom should be determined as used",
+			fields: fields{
+				pods: []*corev1.Pod{{
+					Spec: corev1.PodSpec{
+						Containers: []corev1.Container{{
+							EnvFrom: []corev1.EnvFromSource{
+								{SecretRef: &corev1.SecretEnvSource{LocalObjectReference: corev1.LocalObjectReference{Name: fakeSecret}}},
+							},
+						}},
+					},
+				}},
+			},
+			args: args{
+				secret: fakeSecret,
+			},
+			want: map[string]struct{}{fakeSecret: {}},
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			d := &determiner{
+				pods: tt.fields.pods,
+			}
+			got := d.detectUsedSecrets(nil)
+			if diff := cmp.Diff(tt.want, got); diff != "" {
+				t.Errorf("(-want +got):\n%s", diff)
+			}
+		})
+	}
+}