Control: Deployment containers should minimize the admission of containers with added capability
Description
Container in Deployment should minimize the admission of containers with added capability. Adding capabilities to container increases the risk of container breakout.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.deployment_container_with_added_capabilitiesSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.deployment_container_with_added_capabilities --shareSQL
This control uses a named query:
select coalesce(uid, concat(path, ':', start_line)) as resource, case when c -> 'securityContext' -> 'capabilities' -> 'add' is null then 'ok' else 'alarm' end as status, case when c -> 'securityContext' -> 'capabilities' -> 'add' is null then c ->> 'name' || ' without added capability.' else c ->> 'name' || ' with added capability.' end as reason, name as deployment_name , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_deployment, jsonb_array_elements(template -> 'spec' -> 'containers') as c;