🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-kubernetes-compliance
Overview
4Dashboards
790Benchmarks
781Queries
2Variables
GitHub

Control: DaemonSet containers token auth file should not be configured

Description

This check ensures that the container in the DaemonSet does not have token auth file configured.

Usage

Run the control in your terminal:

powerpipe control run kubernetes_compliance.control.daemonset_container_token_auth_file_not_configured

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run kubernetes_compliance.control.daemonset_container_token_auth_file_not_configured --share

SQL

This control uses a named query:

select
  coalesce(uid, concat(path, ':', start_line)) as resource,
  case
    when (c -> 'command') is null then 'ok'
    when not (c -> 'command') @> '["kube-apiserver"]' then 'ok'
    when (c -> 'command') @> '["kube-apiserver"]'
      and (c ->> 'command' not like '%--token-auth-file%') then 'ok'
    else 'alarm'
  end as status,
  case
    when (c -> 'command') is null then ' command not defined.'
    when not (c -> 'command') @> '["kube-apiserver"]' then ' kube-apiserver not defined.'
    when (c -> 'command') @> '["kube-apiserver"]'
      and (c ->> 'command' not like '%--token-auth-file%') then  c ->> 'name' || ' token auth file not configured.'
    else c ->> 'name' || ' token auth file configured.'
  end as reason,
  name as daemonset_name
  
  , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as path
from
  kubernetes_daemonset,
  jsonb_array_elements(template -> 'spec' -> 'containers') as c;

Tags

category = Compliance
plugin = kubernetes
service = Kubernetes/DaemonSet