Control: PodTemplate containers should have kubelet certificate authority configured appropriately
Description
This check ensures that the container in the PodTemplate has kubelet certificate authority configured appropriately.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.pod_template_container_kubelet_certificate_authority_configuredSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.pod_template_container_kubelet_certificate_authority_configured --shareSQL
This control uses a named query:
select coalesce(uid, concat(path, ':', start_line)) as resource, case when (c -> 'command') is null then 'ok' when not (c -> 'command') @> '["kube-apiserver"]' then 'ok' when (c -> 'command') @> '["kube-apiserver"]' and (c ->> 'command' like '%--kubelet-certificate-authority%') then 'ok' else 'alarm' end as status, case when (c -> 'command') is null then c ->> 'name' || ' command not defined.' when not (c -> 'command') @> '["kube-apiserver"]' then c ->> 'name' || ' kube-apiserver not defined.' when (c -> 'command') @> '["kube-apiserver"]' and (c ->> 'command' like '%--kubelet-certificate-authority%') then c ->> 'name' || ' kubelet certificate authority configured.' else c ->> 'name' || ' kubelet certificate authority not configured.' end as reason, name as pod_template_name , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_pod_template, jsonb_array_elements(template -> 'spec' -> 'containers') as c;