turbot/kubernetes_compliance

Query: pod_container_argument_authorization_mode_no_always_allow

Usage

powerpipe query kubernetes_compliance.query.pod_container_argument_authorization_mode_no_always_allow

Steampipe Tables

SQL

with container_list as (
select
c ->> 'name' as container_name,
trim('"' from split_part(co::text, '=', 2)) as value,
p.name as pod
from
kubernetes_pod as p,
jsonb_array_elements(containers) as c,
jsonb_array_elements(c -> 'command') as co
where
(co)::text LIKE '%--authorization-mode=%'
), container_name_with_pod_name as (
select
p.name as pod_name,
p.uid as pod_uid,
p.path as path,
p.start_line as start_line,
p.end_line as end_line,
p.context_name as context_name,
p.namespace as namespace,
p.source_type as source_type,
p.tags as tags,
p._ctx as _ctx,
c.*
from
kubernetes_pod as p,
jsonb_array_elements(containers) as c
)
select
coalesce(p.pod_uid, concat(p.path, ':', p.start_line)) as resource,
case
when (p.value -> 'command') is null or not ((p.value -> 'command') @> '["kube-apiserver"]') then 'ok'
when l.container_name is not null and (p.value -> 'command') @> '["kube-apiserver"]' and ((l.value) like '%AlwaysAllow%') then 'alarm'
else 'ok'
end as status,
case
when (p.value -> 'command') is null then p.value ->> 'name' || ' command not defined.'
when not ((p.value -> 'command') @> '["kube-apiserver"]') then p.value ->> 'name' || ' kube-apiserver not defined.'
when l.container_name is not null and (p.value -> 'command') @> '["kube-apiserver"]' and ((l.value) like '%AlwaysAllow%') then p.value ->> 'name' || ' authorization mode set to always allow.'
else p.value ->> 'name' || ' authorization mode not set to always allow.'
end as reason,
p.pod_name as pod_name
, coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as path
from
container_name_with_pod_name as p
left join container_list as l on p.value ->> 'name' = l.container_name and p.pod_name = l.pod;

Controls

The query is being used by the following controls: