Control: Deployment containers should minimize its admission with capabilities assigned
Description
This check ensures that the container in the Deployment minimizes its admission with capabilities assigned.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.deployment_container_capabilities_drop_allSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.deployment_container_capabilities_drop_all --shareSQL
This control uses a named query:
select coalesce(uid, concat(path, ':', start_line)) as resource, case when (c -> 'securityContext' -> 'capabilities' -> 'drop' @> '["all"]') or (c -> 'securityContext' -> 'capabilities' -> 'drop' @> '["ALL"]') then 'ok' else 'alarm' end as status, case when (c -> 'securityContext' -> 'capabilities' -> 'drop' @> '["all"]') or (c -> 'securityContext' -> 'capabilities' -> 'drop' @> '["ALL"]') then c ->> 'name' || ' admission of containers with capabilities assigned minimized.' else c ->> 'name' || ' admission of containers with capabilities assigned not minimized.' end as reason, name as deployment_name , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_deployment, jsonb_array_elements(template -> 'spec' -> 'containers') as c;