🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-kubernetes-compliance
Overview
4Dashboards
790Benchmarks
781Queries
2Variables
GitHub

Control: Pods should not refer to a non existing service account

Description

Pods should not refer to a service account which is not available.

Usage

Run the control in your terminal:

powerpipe control run kubernetes_compliance.control.pod_service_account_not_exist

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run kubernetes_compliance.control.pod_service_account_not_exist --share

SQL

This control uses a named query:

select
  coalesce(p.uid, concat(p.path, ':', p.start_line)) as resource,
  case
    when service_account_name is not null and service_account_name <> '' then 'ok'
    else 'alarm'
  end as status,
  case
    when service_account_name is not null and service_account_name <> '' then p.name || ' refer to an existing service account.'
    else p.name || ' does not refer to an existing service account.'
  end as reason,
  p.name as pod_name
  
  , coalesce(p.context_name, '') as context_name, p.namespace, p.source_type, coalesce(p.path || ':' || p.start_line || '-' || p.end_line, '') as path
from
  kubernetes_pod p
  left join kubernetes_service_account a on p.service_account_name = a.name;

Tags

category = Compliance
plugin = kubernetes
service = Kubernetes/Pod