Control: CronJob containers should not be mapped with privilege ports
Description
Privileged ports `0 to 1024` should not be mapped with CronJob containers. Normal users and processes are not allowed to use them for various security reasons.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.cronjob_container_privilege_port_mappedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.cronjob_container_privilege_port_mapped --shareSQL
This control uses a named query:
select case when source_type = 'deployed' then c ->> 'name' else concat(path, ':', start_line) end as resource, case when p ->> 'name' is null then 'skip' when cast(p ->> 'containerPort' as integer) <= 1024 then 'alarm' else 'ok' end as status, case when p ->> 'name' is null then 'No port mapped.' when cast(p ->> 'containerPort' as integer) <= 1024 then p ->> 'name' || ' mapped with a privileged port.' else p ->> 'name' || ' not mapped with a privileged port.' end as reason, name as cronjob_name , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_cronjob, jsonb_array_elements(job_template -> 'spec' -> 'template' -> 'spec' -> 'containers') as c, jsonb_array_elements(c -> 'ports') as p;