Control: Job containers should have secrets defined as files

powerpipe control run kubernetes_compliance.control.job_container_secrets_defined_as_files

powerpipe login
powerpipe control run kubernetes_compliance.control.job_container_secrets_defined_as_files --share

select
  coalesce(uid, concat(path, ':', start_line)) as resource,
  case
    when env like '%valueFrom%' and env like '%secretKeyRef%' then 'alarm'
    else 'ok'
  end as status,
  case
    when env like '%valueFrom%' and env like '%secretKeyRef%' then c ->> 'name' || ' container has secrets defined.'
    else c ->> 'name' || ' container has no secrets defined.'
  end as reason,
  name as job_name
  
  , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as path
from
  kubernetes_job,
  jsonb_array_elements(template -> 'spec' -> 'containers') as c,
  jsonb_array_elements_text(c -> 'env') as env

union

select
  coalesce(uid, concat(path, ':', start_line)) as resource,
  case
    when env like '%secretRef%' then 'alarm'
    else 'ok'
  end as status,
  case
    when env like '%secretRef%' then c ->> 'name' || ' container has secrets defined.'
    else c ->> 'name' || ' container has no secrets defined.'
  end as reason,
  name as job_name
  
  , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as path
from
  kubernetes_job,
  jsonb_array_elements(template -> 'spec' -> 'containers') as c,
  jsonb_array_elements_text(c -> 'envFrom') as env;