From 825e8e8d5b4ca40cf741242227ea9d8357968624 Mon Sep 17 00:00:00 2001
From: YaaraVerner <86768411+YaaraVerner@users.noreply.github.com>
Date: Sun, 23 Oct 2022 16:06:34 +0100
Subject: [PATCH] fix(kubernetes): fix in ServiceAccountTokens check (#3717)

handle edge-case of spec not a dict
---
 .../resource/k8s/ServiceAccountTokens.py      |  2 ++
 .../ServiceAccountTokensUNKNOWN.yaml          | 23 +++++++++++++++++++
 2 files changed, 25 insertions(+)
 create mode 100644 tests/kubernetes/checks/example_ServiceAccountTokens/ServiceAccountTokensUNKNOWN.yaml

diff --git a/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py b/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py
index b83e21bd77f..f9db1f348e6 100644
--- a/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py
+++ b/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py
@@ -51,6 +51,8 @@ def scan_spec_conf(self, conf: dict[str, Any]) -> CheckResult:
 
         # Collect results
         if spec:
+            if not isinstance(spec, dict):
+                return CheckResult.UNKNOWN
             if spec.get("automountServiceAccountToken") is False:
                 return CheckResult.PASSED
         return CheckResult.FAILED
diff --git a/tests/kubernetes/checks/example_ServiceAccountTokens/ServiceAccountTokensUNKNOWN.yaml b/tests/kubernetes/checks/example_ServiceAccountTokens/ServiceAccountTokensUNKNOWN.yaml
new file mode 100644
index 00000000000..7482d46cf27
--- /dev/null
+++ b/tests/kubernetes/checks/example_ServiceAccountTokens/ServiceAccountTokensUNKNOWN.yaml
@@ -0,0 +1,23 @@
+apiVersion: apps/v1 #we know that all the communication in k8s happen through api. 
+#what we want to create
+#inside kind you need to define type of api you want to execute. 
+kind: Deployment #pod#service
+metadata: #using metada and name we define the name of deployment
+  name: myapp-deployment #a deployment name myapp-deployment is created using .metadata.name field
+  labels:
+    app: myapp 
+spec: #inside your deployment we need to provide spec how this deployment api will launch your pod
+  replicas: 3 #it will create three pod
+  selector: #the .spec.selector file define ho the deployment find which pod to manage. 
+    matchLabels: #.spec.selector.matchlabel it is euqivalent to map ke,value. something called as match expression
+      app: myapp 
+  template: #container template deploy in three pod
+    metadata:
+      name: myapp-pod  #using metadata name
+      labels: 
+        app: myapp #this label should match with pod label. 
+    spec: #we define container spec
+        - name: myapp-container 
+          image: nginx 
+          ports:
+           - containerPort: 80
\ No newline at end of file