Control: Replication Controller containers kube-apiserver should only make use of strong cryptographic ciphers
Description
This check ensures that the container in the Replication Controller has kube-apiserver using strong cryptographic ciphers.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.replication_controller_container_strong_kube_apiserver_cryptographic_ciphersSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.replication_controller_container_strong_kube_apiserver_cryptographic_ciphers --shareSQL
This control uses a named query:
with container_list as ( select c ->> 'name' as container_name, trim('"' from split_part(co::text, '=', 2)) as value, r.name as replication_controller from kubernetes_replication_controller as r, jsonb_array_elements(template -> 'spec' -> 'containers') as c, jsonb_array_elements_text(c -> 'command') as co where co like '%--tls-cipher-suites=%'), container_name_with_replication_controller_name as ( select r.name as replication_controller_name, r.uid as replication_controller_uid, r.path as path, r.start_line as start_line, r.end_line as end_line, r.context_name as context_name, r.namespace as namespace, r.source_type as source_type, r.tags as tags, r._ctx as _ctx, c.* from kubernetes_replication_controller as r, jsonb_array_elements(template -> 'spec' -> 'containers') as c)select coalesce(r.replication_controller_uid, concat(r.path, ':', r.start_line)) as resource, case when (r.value -> 'command') is null or not ((r.value -> 'command') @> '["kube-apiserver"]') then 'ok' when l.container_name is not null and (r.value -> 'command') @> '["kube-apiserver"]' and string_to_array(l.value, ',') <@ array['TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305','TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384','TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305','TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384','TLS_RSA_WITH_AES_256_GCM_SHA384','TLS_RSA_WITH_AES_128_GCM_SHA256'] then 'ok' else 'alarm' end as status, case when (r.value -> 'command') is null then r.value ->> 'name' || ' command not defined.' when not ((r.value -> 'command') @> '["kube-apiserver"]') then r.value ->> 'name' || ' kube-apiserver not defined.' when l.container_name is not null and (r.value -> 'command') @> '["kube-apiserver"]' and string_to_array(l.value, ',') <@ array['TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305','TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384','TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305','TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384','TLS_RSA_WITH_AES_256_GCM_SHA384','TLS_RSA_WITH_AES_128_GCM_SHA256'] then r.value ->> 'name' || ' kube-apiserver uses strong cryptographic ciphers.' else r.value ->> 'name' || ' kube-apiserver not using strong cryptographic ciphers.' end as reason, r.replication_controller_name as replication_controller_name , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom container_name_with_replication_controller_name as r left join container_list as l on r.value ->> 'name' = l.container_name and r.replication_controller_name = l.replication_controller;