Control: CronJob containers kube-apiserver profiling should be disabled
Description
This check ensures that the container in the CronJob has kube-apiserver profiling disabled.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.cronjob_container_argument_kube_apiserver_profiling_disabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.cronjob_container_argument_kube_apiserver_profiling_disabled --shareSQL
This control uses a named query:
select coalesce(uid, concat(path, ':', start_line)) as resource, case when (c -> 'command') is null or not ((c -> 'command') @> '["kube-apiserver"]') then 'ok' when (c -> 'command') @> '["kube-apiserver"]' and (c -> 'command') @> '["--profiling=false"]' then 'ok' else 'alarm' end as status, case when (c -> 'command') is null then c ->> 'name' || ' command not defined.' when not ((c -> 'command') @> '["kube-apiserver"]') then c ->> 'name' || ' kube-apiserver not defined.' when (c -> 'command') @> '["kube-apiserver"]' and (c -> 'command') @> '["--profiling=false"]' then c ->> 'name' || ' profiling disabled.' else c ->> 'name' || ' profiling enabled.' end as reason, name as cronjob_name , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_cronjob, jsonb_array_elements(job_template -> 'spec' -> 'template' -> 'spec' -> 'containers') as c;