Control: CronJob containers argument admission control plugin PodSecurityPolicy should be enabled
Description
This check ensures that the container in the CronJob has argument admission control plugin PodSecurityPolicy enabled.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.cronjob_container_argument_pod_security_policy_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.cronjob_container_argument_pod_security_policy_enabled --shareSQL
This control uses a named query:
select coalesce(uid, concat(path, ':', start_line)) as resource, case when (c -> 'command') is null or not ((c -> 'command') @> '["kube-apiserver"]') then 'ok' when (c -> 'command') @> '["kube-apiserver"]' and (c -> 'command') @> '["--enable-admission-plugins=PodSecurityPolicy"]' then 'ok' else 'alarm' end as status, case when (c -> 'command') is null then c ->> 'name' || ' command not defined.' when not ((c -> 'command') @> '["kube-apiserver"]') then c ->> 'name' || ' kube-apiserver not defined.' when (c -> 'command') @> '["kube-apiserver"]' and (c -> 'command') @> '["--enable-admission-plugins=PodSecurityPolicy"]' then c ->> 'name' || ' has admission control plugin PodSecurityPolicy enabled.' else c ->> 'name' || ' has admission control plugin PodSecurityPolicy disabled.' end as reason, name as cronjob_name , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_cronjob, jsonb_array_elements(job_template -> 'spec' -> 'template' -> 'spec' -> 'containers') as c;