Control: StatefulSet containers should not use CAP_SYS_ADMIN linux capability
Description
This check ensures that the container in the StatefulSet does not use CAP_SYS_ADMIN Linux capability.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.statefulset_container_sys_admin_capability_disabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.statefulset_container_sys_admin_capability_disabled --shareSQL
This control uses a named query:
select coalesce(uid, concat(path, ':', start_line)) as resource, case when c -> 'securityContext' -> 'capabilities' -> 'add' @> '["CAP_SYS_ADMIN"]' then 'alarm' else 'ok' end as status, case when c -> 'securityContext' -> 'capabilities' -> 'add' @> '["CAP_SYS_ADMIN"]' then c ->> 'name' || ' CAP_SYS_ADMIN enabled.' else c ->> 'name' || ' CAP_SYS_ADMIN disabled.' end as reason, name as stateful_set_name , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_stateful_set, jsonb_array_elements(template -> 'spec' -> 'containers') as c;