Mondoo Inc
-
|
Mondoo 6.17 added Give this workload: apiVersion: v1
kind: Pod
metadata:
name: luna-frontend
namespace: foo
spec:
containers:
- name: luna-frontend
image: lunalectric/frontend:1.0
env:
- name: LOGIN
value: "oh_no"
- name: PASSWORD
value: "they_are_really_doing_this!"Using |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Great question! The recommended way to approach these is to find a check that works well for one item and then translate it to apply to all of them. 1. Check for dangerous ENV variables Given any one container (like the one you used in your example), we can write a query to look at its properties like so: k8s.pods[0].containers[0] {
...
}This check can now be written with the new k8s.pods[0].containers[0] {
env["LOGIN"] == null && env["PASSWORD"] == null
}2. Applying it to all assets Now that we have the assertion, we can apply this to all assets. In your case, you are looking at pods and all the containers inside of pods. A great way to write this check is to use k8s.pods.all(
containers.all ( ... make sure this is true ... )
)Solution If you apply this to your use-case: k8s.pods.all(
containers.all(
env["LOGIN"] == null && env["PASSWORD"] == null
)
)... and that prints: [failed] [].all()
actual: [
0: k8s.pod id = pod:foo:luna-frontend
] |
Beta Was this translation helpful? Give feedback.
Great question! The recommended way to approach these is to find a check that works well for one item and then translate it to apply to all of them.
1. Check for dangerous ENV variables
Given any one container (like the one you used in your example), we can write a query to look at its properties like so:
This check can now be written with the new
envfield. Let's look for the two you have in your example:LOGINandPASSWORDand make sure that neither is set:2. Applying it to all assets
Now that we have the assertion, we can apply this to all assets. In your case, you are…