Control: CronJob containers should have secrets defined as files
Description
This check ensures that the container in the CronJob has secrets defined as files.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.cronjob_container_secrets_defined_as_filesSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.cronjob_container_secrets_defined_as_files --shareSQL
This control uses a named query:
select coalesce(uid, concat(path, ':', start_line)) as resource, case when env like '%valueFrom%' and env like '%secretKeyRef%' then 'alarm' else 'ok' end as status, case when env like '%valueFrom%' and env like '%secretKeyRef%' then c ->> 'name' || ' container has secrets defined.' else c ->> 'name' || ' container has no secrets defined.' end as reason, name as cronjob_name , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_cronjob, jsonb_array_elements(job_template -> 'spec' -> 'template' -> 'spec' -> 'containers') as c, jsonb_array_elements_text(c -> 'env') as env
union
select coalesce(uid, concat(path, ':', start_line)) as resource, case when env like '%secretRef%' then 'alarm' else 'ok' end as status, case when env like '%secretRef%' then c ->> 'name' || ' container has secrets defined.' else c ->> 'name' || ' container has no secrets defined.' end as reason, name as cronjob_name , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_cronjob, jsonb_array_elements(job_template -> 'spec' -> 'template' -> 'spec' -> 'containers') as c, jsonb_array_elements_text(c -> 'envFrom') as env;