Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-kubernetes-compliance
Overview
4Dashboards
790Benchmarks
781Queries
2Variables
GitHub

Control: ReplicaSet containers kube-apiserver should only make use of strong cryptographic ciphers

Description

This check ensures that the container in the ReplicaSet has kube-apiserver using strong cryptographic ciphers.

Usage

Run the control in your terminal:

powerpipe control run kubernetes_compliance.control.replicaset_container_strong_kube_apiserver_cryptographic_ciphers

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run kubernetes_compliance.control.replicaset_container_strong_kube_apiserver_cryptographic_ciphers --share

SQL

This control uses a named query:

with container_list as (
  select
    c ->> 'name' as container_name,
    trim('"' from split_part(co::text, '=', 2)) as value,
    r.name as replicaset
  from
    kubernetes_replicaset as r,
    jsonb_array_elements(template -> 'spec' -> 'containers') as c,
    jsonb_array_elements_text(c -> 'command') as co
  where
    co like '%--tls-cipher-suites=%'
), container_name_with_replicaset_name as (
  select
    r.name as replicaset_name,
    r.uid as replicaset_uid,
    r.path as path,
    r.start_line as start_line,
    r.end_line as end_line,
    r.context_name as context_name,
    r.namespace as namespace,
    r.source_type as source_type,
    r.tags as tags,
    r._ctx as _ctx,
    c.*
  from
    kubernetes_replicaset as r,
    jsonb_array_elements(template -> 'spec' -> 'containers') as c
)
select
  coalesce(r.replicaset_uid, concat(r.path, ':', r.start_line)) as resource,
  case
    when (r.value -> 'command') is null or not ((r.value -> 'command') @> '["kube-apiserver"]') then 'ok'
    when l.container_name is not null and (r.value -> 'command') @> '["kube-apiserver"]'
      and string_to_array(l.value, ',') <@ array['TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305','TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384','TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305','TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384','TLS_RSA_WITH_AES_256_GCM_SHA384','TLS_RSA_WITH_AES_128_GCM_SHA256']
    then 'ok'
    else 'alarm'
  end as status,
  case
    when (r.value -> 'command') is null then r.value ->> 'name' || ' command not defined.'
    when not ((r.value -> 'command') @> '["kube-apiserver"]') then r.value ->> 'name' || ' kube-apiserver not defined.'
    when l.container_name is not null and (r.value -> 'command') @> '["kube-apiserver"]'
      and string_to_array(l.value, ',') <@ array['TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305','TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384','TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305','TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384','TLS_RSA_WITH_AES_256_GCM_SHA384','TLS_RSA_WITH_AES_128_GCM_SHA256']
    then r.value ->> 'name' || ' kube-apiserver uses strong cryptographic ciphers.'
    else r.value ->> 'name' || ' kube-apiserver not using strong cryptographic ciphers.'
  end as reason,
  r.replicaset_name as replicaset_name
  
  , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as path
from
  container_name_with_replicaset_name as r
  left join container_list as l on r.value ->> 'name' = l.container_name and r.replicaset_name = l.replicaset;

Tags

category = Compliance
plugin = kubernetes
service = Kubernetes/ReplicaSet