Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-kubernetes-compliance
Overview
4Dashboards
790Benchmarks
781Queries
2Variables
GitHub

Control: Services should not have tiller service

Description

Services should avoid using Tiller service as it is not recommended due to security concerns.

Usage

Run the control in your terminal:

powerpipe control run kubernetes_compliance.control.service_no_tiller_service

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run kubernetes_compliance.control.service_no_tiller_service --share

SQL

This control uses a named query:

with tiller_service as (
  select
    distinct uid
  from
    kubernetes_service
  where
    (
      select
        'tiller' ilike any (
          select
            jsonb_object_keys(tags) :: text
        )
    )
    or (
      select
        'tiller' ilike any (
          select
            jsonb_object_keys(selector) :: text
        )
    )
)
select
  coalesce(s.uid, concat(s.path, ':', s.start_line)) as resource,
  case
    when t.uid is not null then 'alarm'
    else 'ok'
  end as status,
  case
    when t.uid is not null then name || ' using tiller service.'
    else name || ' not using tiller service.'
  end as reason,
  coalesce(context_name, '') as context_name,
  namespace,
  source_type,
  coalesce(path || ':' || start_line || '-' || end_line, '') as path
from
  kubernetes_service as s
  left join tiller_service as t on t.uid = s.uid;

Tags

category = Compliance
plugin = kubernetes
service = Kubernetes/Service