Control: Job containers argument admission control plugin PodSecurityPolicy should be enabled
Description
This check ensures that the container in the Job has argument admission control plugin PodSecurityPolicy enabled.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.job_container_argument_pod_security_policy_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.job_container_argument_pod_security_policy_enabled --shareSQL
This control uses a named query:
select coalesce(uid, concat(path, ':', start_line)) as resource, case when (c -> 'command') is null or not ((c -> 'command') @> '["kube-apiserver"]') then 'ok' when (c -> 'command') @> '["kube-apiserver"]' and (c -> 'command') @> '["--enable-admission-plugins=PodSecurityPolicy"]' then 'ok' else 'alarm' end as status, case when (c -> 'command') is null then c ->> 'name' || ' command not defined.' when not ((c -> 'command') @> '["kube-apiserver"]') then c ->> 'name' || ' kube-apiserver not defined.' when (c -> 'command') @> '["kube-apiserver"]' and (c -> 'command') @> '["--enable-admission-plugins=PodSecurityPolicy"]' then c ->> 'name' || ' has admission control plugin PodSecurityPolicy enabled.' else c ->> 'name' || ' has admission control plugin PodSecurityPolicy disabled.' end as reason, name as job_name , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_job, jsonb_array_elements(template -> 'spec' -> 'containers') as c;