Control: Seccomp profile is set to docker/default in CronJob definition
Description
In CronJob definition seccomp profile should be set to docker/default. Seccomp (secure computing mode) is used to restrict the set of system calls applications can make, allowing cluster administrators greater control over the security of workloads running in the cluster. Kubernetes disables seccomp profiles by default for historical reasons. It should be enabled to ensure that the workloads have restricted actions available within the container.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.cronjob_default_seccomp_profile_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.cronjob_default_seccomp_profile_enabled --shareSQL
This control uses a named query:
select distinct(coalesce(uid, concat(path, ':', start_line))) as resource, case when c -> 'securityContext' -> 'seccompProfile' ->> 'type' = 'RuntimeDefault' then 'ok' else 'alarm' end as status, case when c -> 'securityContext' -> 'seccompProfile' ->> 'type' = 'RuntimeDefault' then name || ' seccompProfile enabled.' else name || ' seccompProfile disabled.' end as reason, name as cronjob_name , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_cronjob, jsonb_array_elements(job_template -> 'spec' -> 'template' -> 'spec' -> 'containers') as c;