🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-kubernetes-compliance
Overview
4Dashboards
790Benchmarks
781Queries
2Variables
GitHub

Control: Services should not have tiller service

Description

Services should avoid using Tiller service as it is not recommended due to security concerns.

Usage

Run the control in your terminal:

powerpipe control run kubernetes_compliance.control.service_no_tiller_service

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run kubernetes_compliance.control.service_no_tiller_service --share

SQL

This control uses a named query:

with tiller_service as (
  select
    distinct uid
  from
    kubernetes_service
  where
    (select 'tiller' ilike any (select jsonb_object_keys(tags)::text))
    or (select 'tiller' ilike any (select jsonb_object_keys(selector)::text))
)
select
  coalesce(s.uid, concat(s.path, ':', s.start_line)) as resource,
  case
    when t.uid is not null then 'alarm'
    else 'ok'
  end as status,
  case
    when t.uid is not null then name || ' using tiller service.'
    else  name || ' not using tiller service.'
  end as reason
  
  , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as path
from
  kubernetes_service as s
  left join tiller_service as t on t.uid = s.uid;

Tags

category = Compliance
plugin = kubernetes
service = Kubernetes/Service