turbot/kubernetes_compliance

Query: cronjob_container_admission_capability_restricted

Usage

powerpipe query kubernetes_compliance.query.cronjob_container_admission_capability_restricted

Steampipe Tables

SQL

select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when (c -> 'securityContext' -> 'capabilities' -> 'drop' is not null)
and (c -> 'securityContext' -> 'capabilities' -> 'drop' @> '["all"]'
or c -> 'securityContext' -> 'capabilities' -> 'drop' @> '["ALL"]'
or c -> 'securityContext' -> 'capabilities' -> 'drop' @> '["NET_RAW"]') then 'ok'
else 'alarm'
end as status,
case
when (c -> 'securityContext' -> 'capabilities' -> 'drop' is not null)
and (c -> 'securityContext' -> 'capabilities' -> 'drop' @> '["all"]'
or c -> 'securityContext' -> 'capabilities' -> 'drop' @> '["ALL"]'
or c -> 'securityContext' -> 'capabilities' -> 'drop' @> '["NET_RAW"]') then c ->> 'name' || ' admission capability is restricted.'
else c ->> 'name' || ' admission capability is not restricted.'
end as reason,
name as cronjob_name
from
kubernetes_cronjob,
jsonb_array_elements(job_template -> 'spec' -> 'template' -> 'spec' -> 'containers') as c;

Controls

The query is being used by the following controls: