Control: CronJob containers should not use CAP_SYS_ADMIN linux capability
Description
This check ensures that the container in the CronJob does not use CAP_SYS_ADMIN Linux capability.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.cronjob_container_sys_admin_capability_disabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.cronjob_container_sys_admin_capability_disabled --shareSQL
This control uses a named query:
select distinct(coalesce(uid, concat(path, ':', start_line))) as resource, case when c -> 'securityContext' -> 'capabilities' -> 'add' @> '["CAP_SYS_ADMIN"]' then 'alarm' else 'ok' end as status, case when c -> 'securityContext' -> 'capabilities' -> 'add' @> '["CAP_SYS_ADMIN"]' then c ->> 'name' || ' CAP_SYS_ADMIN enabled.' else c ->> 'name' || ' CAP_SYS_ADMIN disabled.' end as reason, name as cronjob_name , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_cronjob, jsonb_array_elements(job_template -> 'spec' -> 'template' -> 'spec' -> 'containers') as c;