Control: PodTemplate containers should has admission capability restricted
Description
This check ensures that the container in the PodTemplate has admission capability restricted.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.pod_template_container_admission_capability_restrictedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.pod_template_container_admission_capability_restricted --shareSQL
This control uses a named query:
select coalesce(uid, concat(path, ':', start_line)) as resource, case when (c -> 'securityContext' -> 'capabilities' -> 'drop' is not null) and (c -> 'securityContext' -> 'capabilities' -> 'drop' @> '["all"]' or c -> 'securityContext' -> 'capabilities' -> 'drop' @> '["ALL"]' or c -> 'securityContext' -> 'capabilities' -> 'drop' @> '["NET_RAW"]') then 'ok' else 'alarm' end as status, case when (c -> 'securityContext' -> 'capabilities' -> 'drop' is not null) and (c -> 'securityContext' -> 'capabilities' -> 'drop' @> '["all"]' or c -> 'securityContext' -> 'capabilities' -> 'drop' @> '["ALL"]' or c -> 'securityContext' -> 'capabilities' -> 'drop' @> '["NET_RAW"]') then c ->> 'name' || ' admission capability is restricted.' else c ->> 'name' || ' admission capability is not restricted.' end as reason, name as pod_template_namefrom kubernetes_pod_template, jsonb_array_elements(template -> 'spec' -> 'containers') as c;