Control: Replication Controller containers should minimize the admission of containers with added capability
Description
Container in Replication Controller should minimize the admission of containers with added capability. Adding capabilities to container increases the risk of container breakout.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.replication_controller_container_with_added_capabilitiesSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.replication_controller_container_with_added_capabilities --shareSQL
This control uses a named query:
select coalesce(uid, concat(path, ':', start_line)) as resource, case when c -> 'securityContext' -> 'capabilities' -> 'add' is null then 'ok' else 'alarm' end as status, case when c -> 'securityContext' -> 'capabilities' -> 'add' is null then c ->> 'name' || ' without added capability.' else c ->> 'name' || ' with added capability.' end as reason, name as replication_controller_name , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_replication_controller, jsonb_array_elements(template -> 'spec' -> 'containers') as c;