🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-kubernetes-compliance
Overview
4Dashboards
790Benchmarks
781Queries
2Variables
GitHub

Control: ReplicaSet containers kubelet should only make use of strong cryptographic ciphers

Description

This check ensures that the container in the ReplicaSet has kubelet using strong cryptographic ciphers.

Usage

Run the control in your terminal:

powerpipe control run kubernetes_compliance.control.replicaset_container_strong_kubelet_cryptographic_ciphers

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run kubernetes_compliance.control.replicaset_container_strong_kubelet_cryptographic_ciphers --share

SQL

This control uses a named query:

with container_list as (
  select
    c ->> 'name' as container_name,
    trim('"' from split_part(co::text, '=', 2)) as value,
    r.name as replicaset
  from
    kubernetes_replicaset as r,
    jsonb_array_elements(template -> 'spec' -> 'containers') as c,
    jsonb_array_elements_text(c -> 'command') as co
  where
    co like '%--tls-cipher-suites=%'
), container_name_with_replicaset_name as (
  select
    r.name as replicaset_name,
    r.uid as replicaset_uid,
    r.path as path,
    r.start_line as start_line,
    r.end_line as end_line,
    r.context_name as context_name,
    r.namespace as namespace,
    r.source_type as source_type,
    r.tags as tags,
    r._ctx as _ctx,
    c.*
  from
    kubernetes_replicaset as r,
    jsonb_array_elements(template -> 'spec' -> 'containers') as c
)
select
  coalesce(r.replicaset_uid, concat(r.path, ':', r.start_line)) as resource,
  case
    when (r.value -> 'command') is null or not ((r.value -> 'command') @> '["kubelet"]') then 'ok'
    when l.container_name is not null and (r.value -> 'command') @> '["kubelet"]'
      and string_to_array(l.value, ',') <@ array['TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305','TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384','TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305','TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384','TLS_RSA_WITH_AES_256_GCM_SHA384','TLS_RSA_WITH_AES_128_GCM_SHA256']
    then 'ok'
    else 'alarm'
  end as status,
  case
    when (r.value -> 'command') is null then r.value ->> 'name' || ' command not defined.'
    when not ((r.value -> 'command') @> '["kubelet"]') then r.value ->> 'name' || ' kubelet not defined.'
    when l.container_name is not null and (r.value -> 'command') @> '["kubelet"]'
      and string_to_array(l.value, ',') <@ array['TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305','TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384','TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305','TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384','TLS_RSA_WITH_AES_256_GCM_SHA384','TLS_RSA_WITH_AES_128_GCM_SHA256']
    then r.value ->> 'name' || ' kubelet uses strong cryptographic ciphers.'
    else r.value ->> 'name' || ' kubelet not using strong cryptographic ciphers.'
  end as reason,
  r.replicaset_name as replicaset_name
  
  , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as path
from
  container_name_with_replicaset_name as r
  left join container_list as l on r.value ->> 'name' = l.container_name and r.replicaset_name = l.replicaset;

Tags

category = Compliance
plugin = kubernetes
service = Kubernetes/ReplicaSet