Skip to content

Tighten unused ConfigMap and Secret audit checks#1067

Open
nadaverell wants to merge 1 commit into
mainfrom
nadav/sky-1100-unused-config-precision
Open

Tighten unused ConfigMap and Secret audit checks#1067
nadaverell wants to merge 1 commit into
mainfrom
nadav/sky-1100-unused-config-precision

Conversation

@nadaverell

@nadaverell nadaverell commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Why

The Unused ConfigMap or Secret audit check can recommend deletion, so false positives are the dangerous failure mode. It was only crediting live Pod refs plus a narrow set of consumers, which meant valid workload-template, ServiceAccount, generated-object, and CSI/legacy volume references could be reported as orphaned.

Linear: SKY-1100

What changed

  • Treats active Deployment, StatefulSet, DaemonSet, Job, and CronJob pod templates as ConfigMap/Secret consumers.
  • Stops treating terminal Jobs and Succeeded/Failed Pods as active consumers, so completed one-off workload artifacts do not hide stale ConfigMaps/Secrets indefinitely.
  • Credits ServiceAccount imagePullSecrets when a PodSpec relies on ServiceAccount admission defaults, including the implicit default ServiceAccount.
  • Includes ephemeral-container env/envFrom refs, CSI nodePublishSecretRef, and legacy in-tree volume secret refs in the consumed-resource index.
  • Skips controller-owned ConfigMaps/Secrets for the orphan check because another resource owns their lifecycle.
  • Tightens secretInConfigMap so broad keys like auth, token, secret, and credentials require a secret-looking value. Low-information settings such as auth_mode=oidc, token_ttl=3600, credentials file paths, and Secret-name references no longer fire.

Testing

  • cd pkg && go test ./audit -run 'TestOrphanConfigMapSecret|TestSecretInConfigMap'
  • cd pkg && go test ./audit
  • go test ./internal/audit
  • make tsc
  • make test
  • make build
  • visual-test: skipped; this is backend audit precision with no UI/layout/browser behavior change.

Risk / blast radius

Blast radius is limited to audit finding precision for ConfigMap/Secret cleanup and ConfigMap-secret warnings. The direction is intentionally false-positive reduction: fewer valid resources should be labeled safe to delete.

Product tradeoff: secretInConfigMap is now more precision-biased, so very short real secrets under ambiguous keys may be missed. Terminal Jobs and completed Pods no longer suppress orphan findings; this is useful cleanup behavior, but it assumes completed workload artifacts are historical rather than active consumers. Unusual consumers outside Pod templates, Ingress TLS, ServiceAccounts, CSI, and typed volume refs may still need future coverage.

@nadaverell nadaverell requested a review from hisco as a code owner June 30, 2026 02:10

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 7f01762. Configure here.

Comment thread internal/audit/runner.go
@nadaverell nadaverell force-pushed the nadav/sky-1100-unused-config-precision branch 4 times, most recently from 275427e to bf09d52 Compare June 30, 2026 21:44
@nadaverell nadaverell force-pushed the nadav/sky-1100-unused-config-precision branch from bf09d52 to b71e516 Compare July 4, 2026 14:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant