turbot/kubernetes_compliance

Query: statefulset_container_argument_security_context_deny_enabled

Usage

powerpipe query kubernetes_compliance.query.statefulset_container_argument_security_context_deny_enabled

Steampipe Tables

SQL

select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when (c -> 'command') is null or not ((c -> 'command') @> '["kube-apiserver"]') then 'ok'
when (c -> 'command') @> '["kube-apiserver"]'
and ((c -> 'command') @> '["--enable-admission-plugins=PodSecurityPolicy"]' or (c -> 'command') @> '["--enable-admission-plugins=SecurityContextDeny"]') then 'ok'
else 'alarm'
end as status,
case
when (c -> 'command') is null then c ->> 'name' || ' command not defined.'
when not ((c -> 'command') @> '["kube-apiserver"]') then c ->> 'name' || ' kube-apiserver not defined.'
when (c -> 'command') @> '["kube-apiserver"]'
and (c -> 'command') @> '["--enable-admission-plugins=PodSecurityPolicy"]' then c ->> 'name' || ' has admission control plugin PodSecurityPolicy enabled.'
when (c -> 'command') @> '["kube-apiserver"]'
and (c -> 'command') @> '["--enable-admission-plugins=SecurityContextDeny"]' then c ->> 'name' || ' has admission control plugin SecurityContextDeny enabled.'
else c ->> 'name' || ' has admission control plugin PodSecurityPolicy and SecurityContextDeny disabled.'
end as reason,
name as statefulset_name
, coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as path
from
kubernetes_stateful_set,
jsonb_array_elements(template -> 'spec' -> 'containers') as c;

Controls

The query is being used by the following controls: