🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-kubernetes-compliance
Overview
4Dashboards
790Benchmarks
781Queries
2Variables
GitHub

Control: PodTemplate containers argument anonymous auth should be disabled

Description

This check ensures that the container in the PodTemplate has anonymous auth disabled.

Usage

Run the control in your terminal:

powerpipe control run kubernetes_compliance.control.pod_template_container_argument_api_server_anonymous_auth_disabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run kubernetes_compliance.control.pod_template_container_argument_api_server_anonymous_auth_disabled --share

SQL

This control uses a named query:

select
  distinct(coalesce(uid, concat(path, ':', start_line))) as resource,
  case
    when (c -> 'command') @> '["kube-apiserver"]'
      and (c -> 'command') @> '["--anonymous-auth=true"]' then 'alarm'
    else 'ok'
  end as status,
  case
    when (c -> 'command') is null then c ->> 'name' || ' command not defined.'
    when not ((c -> 'command') @> '["kube-apiserver"]') then c ->> 'name' || ' kube-apiserver not defined.'
    when (c -> 'command') @> '["kube-apiserver"]'
      and (c -> 'command') @> '["--anonymous-auth=true"]' then c ->> 'name' || ' anonymous auth enabled.'
    else c ->> 'name' || ' anonymous auth disabled.'
  end as reason,
  name as pod_template_name
  
  , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as path
from
  kubernetes_pod_template,
  jsonb_array_elements(template -> 'spec' -> 'containers') as c;

Tags

category = Compliance
plugin = kubernetes
service = Kubernetes/PodTemplate