Control: CronJob containers should not allow privilege escalation
Description
Containers in a CronJob should not allow privilege escalation. A container running with the `allowPrivilegeEscalation` flag set to true may have processes that can gain more privileges than their parent.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.cronjob_container_privilege_escalation_disabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.cronjob_container_privilege_escalation_disabled --shareSQL
This control uses a named query:
select coalesce(uid, concat(path, ':', start_line)) as resource, case when c -> 'securityContext' ->> 'allowPrivilegeEscalation' = 'false' then 'ok' else 'alarm' end as status, case when c -> 'securityContext' ->> 'allowPrivilegeEscalation' = 'false' then c ->> 'name' || ' not allowed root elevation.' else c ->> 'name' || ' allowed root elevation.' end as reason, name as cronjob_name , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_cronjob, jsonb_array_elements(job_template -> 'spec' -> 'template' -> 'spec' -> 'containers') as c;