🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-kubernetes-compliance
Overview
4Dashboards
790Benchmarks
781Queries
2Variables
GitHub

Control: Pods containers run as user should be set to 10000 or greater

Description

This check ensures that Pod container has run as user set to 10000 or greater than 10000.

Usage

Run the control in your terminal:

powerpipe control run kubernetes_compliance.control.pod_container_run_as_user_10000

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run kubernetes_compliance.control.pod_container_run_as_user_10000 --share

SQL

This control uses a named query:

with pod_container_run_as_user as (
  select
    name,
    uid,
    (c -> 'securityContext' ->> 'runAsUser')::int as run_as_user
  from
    kubernetes_pod,
    jsonb_array_elements(containers) as c
  where
   (c -> 'securityContext' ->> 'runAsUser') is not null
)
select
  coalesce(p.uid, concat(p.path, ':', p.start_line)) as resource,
  case
    when r.uid is null and (p.security_context -> 'runAsUser') is null then 'alarm'
    when r.uid is null and (p.security_context ->> 'runAsUser')::int >= 10000 then 'ok'
    when r.uid is null and (p.security_context ->> 'runAsUser')::int < 10000 then 'alarm'
    when r.run_as_user < 10000 and (p.security_context -> 'runAsUser') is null then 'alarm'
    when r.run_as_user >= 10000 and (p.security_context -> 'runAsUser') is null then 'ok'
    when r.run_as_user < 10000 and (p.security_context ->> 'runAsUser')::int >= 10000 then 'alarm'
    when r.run_as_user >= 10000 and (p.security_context ->> 'runAsUser')::int < 10000 then 'ok'
    when r.run_as_user < 10000 and (p.security_context ->> 'runAsUser')::int < 10000 then 'alarm'
  end as status,
  case
    when r.uid is null and (p.security_context -> 'runAsUser') is null then p.name || ' run as user not set.'
    when r.uid is null and (p.security_context ->> 'runAsUser')::int >= 10000 then p.name || ' run as user set to ' || (p.security_context ->> 'runAsUser') || '.'
    when r.uid is null and (p.security_context ->> 'runAsUser')::int < 10000 then p.name || ' run as user set to ' || (p.security_context ->> 'runAsUser') || '.'
    when r.run_as_user < 10000 and (p.security_context -> 'runAsUser') is null then p.name || ' run as user set to ' || (r.run_as_user) || '.'
    when r.run_as_user >= 10000 and (p.security_context -> 'runAsUser') is null then p.name || ' run as user set to ' || (r.run_as_user) || '.'
    when r.run_as_user < 10000 and (p.security_context ->> 'runAsUser')::int >= 10000 then p.name || ' run as user set to ' || (r.run_as_user) || '.'
    when r.run_as_user >= 10000 and (p.security_context ->> 'runAsUser')::int < 10000 then p.name || ' run as user set to ' || (r.run_as_user) || '.'
    when r.run_as_user < 10000 and (p.security_context ->> 'runAsUser')::int < 10000 then p.name || ' run as user set to ' || (r.run_as_user) || '.'
  end as reason,
  p.name as pod_name
  
  , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as path
from
  kubernetes_pod as p
  left join pod_container_run_as_user as r on r.uid = p.uid;

Tags

category = Compliance
plugin = kubernetes
service = Kubernetes/Pod