Control: Job containers argument service account lookup should be enabled
Description
This check ensures that the container in the Job has argument service account lookup enabled.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.job_container_argument_service_account_lookup_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.job_container_argument_service_account_lookup_enabled --shareSQL
This control uses a named query:
select coalesce(uid, concat(path, ':', start_line)) as resource, case when (c -> 'command') is null then 'ok' when not (c -> 'command') @> '["kube-apiserver"]' then 'ok' when (c -> 'command') @> '["kube-apiserver"]' and (c -> 'command') @> '["--service-account-lookup=true"]' then 'ok' else 'alarm' end as status, case when (c -> 'command') is null then ' command not defined.' when not (c -> 'command') @> '["kube-apiserver"]' then ' kube-apiserver not defined.' when (c -> 'command') @> '["kube-apiserver"]' and (c -> 'command') @> '["--service-account-lookup=true"]' then c ->> 'name' || ' service account lookup enabled.' else c ->> 'name' || ' service account lookup disabled.' end as reason, name as job_name , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_job, jsonb_array_elements(template -> 'spec' -> 'containers') as c;