🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-kubernetes-compliance
Overview
4Dashboards
790Benchmarks
781Queries
2Variables
GitHub

Control: Seccomp profile is set to docker/default in Pod security policy

Description

In Pod security policy seccomp profile should be set to docker/default. Seccomp (secure computing mode) is used to restrict the set of system calls applications can make, allowing cluster administrators greater control over the security of workloads running in the cluster. Kubernetes disables seccomp profiles by default for historical reasons. It should be enabled to ensure that the workloads have restricted actions available within the container.

Usage

Run the control in your terminal:

powerpipe control run kubernetes_compliance.control.pod_security_policy_default_seccomp_profile_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run kubernetes_compliance.control.pod_security_policy_default_seccomp_profile_enabled --share

SQL

This control uses a named query:

select
  coalesce(uid, concat(path, ':', start_line)) as resource,
  case
    when annotations -> 'seccomp.security.alpha.kubernetes.io/defaultProfileName' = '"docker/default"' then 'ok'
    else 'alarm'
  end as status,
  case
    when annotations -> 'seccomp.security.alpha.kubernetes.io/defaultProfileName' = '"docker/default"' then name || ' seccompProfile enabled.'
    else name || ' seccompProfile disabled.'
  end as reason
  
  , coalesce(context_name, '') as context_name, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as path
from
  kubernetes_pod_security_policy;

Tags

category = Compliance
cis = true
plugin = kubernetes
service = Kubernetes/PodSecurityPolicy