Control: PodTemplate containers should not have added capabilities
Description
Container in PodTemplate definition should not have added capabilities. Added capabilities can provide container processes with escalated privileges which can be used to access sensitive host resources or perform operations outside of the container.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.pod_template_container_with_added_capabilitiesSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.pod_template_container_with_added_capabilities --shareSQL
This control uses a named query:
select coalesce(uid, concat(path, ':', start_line)) as resource, case when c -> 'securityContext' -> 'capabilities' -> 'add' is null then 'ok' else 'alarm' end as status, case when c -> 'securityContext' -> 'capabilities' -> 'add' is null then c ->> 'name' || ' without added capability.' else c ->> 'name' || ' with added capability.' end as reason, name as pod_template_name , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_pod_template, jsonb_array_elements(template -> 'spec' -> 'containers') as c;