Control: Deployment containers argument admission control plugin where either PodSecurityPolicy or SecurityContextDeny should be enabled
Description
This check ensures that the container in the Deployment has argument admission control plugin where either PodSecurityPolicy or SecurityContextDeny is enabled.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.deployment_container_argument_security_context_deny_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.deployment_container_argument_security_context_deny_enabled --shareSQL
This control uses a named query:
select coalesce(uid, concat(path, ':', start_line)) as resource, case when (c -> 'command') is null or not ((c -> 'command') @> '["kube-apiserver"]') then 'ok' when (c -> 'command') @> '["kube-apiserver"]' and ((c -> 'command') @> '["--enable-admission-plugins=PodSecurityPolicy"]' or (c -> 'command') @> '["--enable-admission-plugins=SecurityContextDeny"]') then 'ok' else 'alarm' end as status, case when (c -> 'command') is null then c ->> 'name' || ' command not defined.' when not ((c -> 'command') @> '["kube-apiserver"]') then c ->> 'name' || ' kube-apiserver not defined.' when (c -> 'command') @> '["kube-apiserver"]' and (c -> 'command') @> '["--enable-admission-plugins=PodSecurityPolicy"]' then c ->> 'name' || ' has admission control plugin PodSecurityPolicy enabled.' when (c -> 'command') @> '["kube-apiserver"]' and (c -> 'command') @> '["--enable-admission-plugins=SecurityContextDeny"]' then c ->> 'name' || ' has admission control plugin SecurityContextDeny enabled.' else c ->> 'name' || ' has admission control plugin PodSecurityPolicy and SecurityContextDeny disabled.' end as reason, name as deployment_name , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_deployment, jsonb_array_elements(template -> 'spec' -> 'containers') as c;