Skip to content

Commit

Permalink
update query to cast the data to boolean (#79)
Browse files Browse the repository at this point in the history
  • Loading branch information
@khushboo9024
khushboo9024 authored Nov 2, 2023
1 parent f20be6f commit 5a69367
Show file tree
Hide file tree
Showing 9 changed files with 90 additions and 90 deletions.
24 changes: 12 additions & 12 deletions query/cronjob.sp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,11 +51,11 @@ query "cronjob_container_privilege_disabled" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when c -> 'securityContext' ->> 'privileged' = 'true' then 'alarm'
when (c -> 'securityContext' ->> 'privileged')::bool then 'alarm'
else 'ok'
end as status,
case
when c -> 'securityContext' ->> 'privileged' = 'true' then c ->> 'name' || ' privileged container.'
when (c -> 'securityContext' ->> 'privileged')::bool then c ->> 'name' || ' privileged container.'
else c ->> 'name' || ' not privileged container.'
end as reason,
name as cronjob_name
Expand Down Expand Up @@ -93,11 +93,11 @@ query "cronjob_immutable_container_filesystem" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then 'ok'
when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then 'ok'
else 'alarm'
end as status,
case
when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then c ->> 'name' || ' running with read-only root file system.'
when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then c ->> 'name' || ' running with read-only root file system.'
else c ->> 'name' || ' not running with read-only root file system.'
end as reason,
name as cronjob_name
Expand All @@ -114,11 +114,11 @@ query "cronjob_host_network_access_disabled" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when job_template -> 'spec' -> 'template' -> 'spec' ->> 'hostNetwork' = 'true' then 'alarm'
when (job_template -> 'spec' -> 'template' -> 'spec' ->> 'hostNetwork')::bool then 'alarm'
else 'ok'
end as status,
case
when job_template -> 'spec' -> 'template' -> 'spec' ->> 'hostNetwork' = 'true' then 'CronJob pods using host network.'
when (job_template -> 'spec' -> 'template' -> 'spec' ->> 'hostNetwork')::bool then 'CronJob pods using host network.'
else 'CronJob pods not using host network.'
end as reason,
name as cronjob_name
Expand Down Expand Up @@ -239,11 +239,11 @@ query "cronjob_non_root_container" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then 'ok'
when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then 'ok'
else 'alarm'
end as status,
case
when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then c ->> 'name' || ' not running with root privilege.'
when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then c ->> 'name' || ' not running with root privilege.'
else c ->> 'name' || ' running with root privilege.'
end as reason,
name as cronjob_name
Expand Down Expand Up @@ -281,13 +281,13 @@ query "cronjob_hostpid_hostipc_sharing_disabled" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when job_template -> 'spec' -> 'template' -> 'spec' ->> 'hostPID' = 'true'
or job_template -> 'spec' -> 'template' -> 'spec' ->> 'hostIPC' = 'true' then 'alarm'
when (job_template -> 'spec' -> 'template' -> 'spec' ->> 'hostPID')::bool
or (job_template -> 'spec' -> 'template' -> 'spec' ->> 'hostIPC')::bool then 'alarm'
else 'ok'
end as status,
case
when job_template -> 'spec' -> 'template' -> 'spec' ->> 'hostPID' = 'true' then 'CronJob pods share host pid namespaces.'
when job_template -> 'spec' -> 'template' -> 'spec' ->> 'hostIPC' = 'true' then 'CronJob pods share host ipc namespaces.'
when (job_template -> 'spec' -> 'template' -> 'spec' ->> 'hostPID')::bool then 'CronJob pods share host pid namespaces.'
when (job_template -> 'spec' -> 'template' -> 'spec' ->> 'hostIPC')::bool then 'CronJob pods share host ipc namespaces.'
else 'CronJob pods cannot share host process namespaces.'
end as reason,
name as cronjob_name
Expand Down
22 changes: 11 additions & 11 deletions query/daemonset.sp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,11 +66,11 @@ query "daemonset_immutable_container_filesystem" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then 'ok'
when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then 'ok'
else 'alarm'
end as status,
case
when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then c ->> 'name' || ' running with read-only root file system.'
when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then c ->> 'name' || ' running with read-only root file system.'
else c ->> 'name' || ' not running with read-only root file system.'
end as reason,
name as daemonset_name
Expand Down Expand Up @@ -135,11 +135,11 @@ query "daemonset_host_network_access_disabled" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when template -> 'spec' ->> 'hostNetwork' = 'true' then 'alarm'
when (template -> 'spec' ->> 'hostNetwork')::bool then 'alarm'
else 'ok'
end as status,
case
when template -> 'spec' ->> 'hostNetwork' = 'true' then 'DaemonSet pods using host network.'
when (template -> 'spec' ->> 'hostNetwork')::bool then 'DaemonSet pods using host network.'
else 'DaemonSet pods not using host network.'
end as reason,
name as daemonset_name
Expand All @@ -155,12 +155,12 @@ query "daemonset_hostpid_hostipc_sharing_disabled" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when template -> 'spec' ->> 'hostPID' = 'true' or template -> 'spec' ->> 'hostIPC' = 'true' then 'alarm'
when (template -> 'spec' ->> 'hostPID')::bool or (template -> 'spec' ->> 'hostIPC')::bool then 'alarm'
else 'ok'
end as status,
case
when template -> 'spec' ->> 'hostPID' = 'true' then 'DaemonSet pods share host PID namespaces.'
when template -> 'spec' ->> 'hostIPC' = 'true' then 'DaemonSet pods share host IPC namespaces.'
when (template -> 'spec' ->> 'hostPID')::bool then 'DaemonSet pods share host PID namespaces.'
when (template -> 'spec' ->> 'hostIPC')::bool then 'DaemonSet pods share host IPC namespaces.'
else 'DaemonSet pods cannot share host process namespaces.'
end as reason,
name as daemonset_name
Expand Down Expand Up @@ -260,11 +260,11 @@ query "daemonset_non_root_container" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then 'ok'
when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then 'ok'
else 'alarm'
end as status,
case
when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then c ->> 'name' || ' not running with root privilege.'
when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then c ->> 'name' || ' not running with root privilege.'
else c ->> 'name' || ' running with root privilege.'
end as reason,
name as daemonset_name
Expand All @@ -281,11 +281,11 @@ query "daemonset_container_privilege_disabled" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when c -> 'securityContext' ->> 'privileged' = 'true' then 'alarm'
when (c -> 'securityContext' ->> 'privileged')::bool then 'alarm'
else 'ok'
end as status,
case
when c -> 'securityContext' ->> 'privileged' = 'true' then c ->> 'name' || ' privileged container.'
when (c -> 'securityContext' ->> 'privileged')::bool then c ->> 'name' || ' privileged container.'
else c ->> 'name' || ' not privileged container.'
end as reason,
name as daemonset_name
Expand Down
22 changes: 11 additions & 11 deletions query/deployment.sp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,11 +61,11 @@ query "deployment_immutable_container_filesystem" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then 'ok'
when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then 'ok'
else 'alarm'
end as status,
case
when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then c ->> 'name' || ' running with read-only root file system.'
when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then c ->> 'name' || ' running with read-only root file system.'
else c ->> 'name' || ' not running with read-only root file system.'
end as reason,
name as deployment_name
Expand Down Expand Up @@ -103,11 +103,11 @@ query "deployment_container_privilege_disabled" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when c -> 'securityContext' ->> 'privileged' = 'true' then 'alarm'
when (c -> 'securityContext' ->> 'privileged')::bool then 'alarm'
else 'ok'
end as status,
case
when c -> 'securityContext' ->> 'privileged' = 'true' then c ->> 'name' || ' privileged container.'
when (c -> 'securityContext' ->> 'privileged')::bool then c ->> 'name' || ' privileged container.'
else c ->> 'name' || ' not privileged container.'
end as reason,
name as deployment_name
Expand Down Expand Up @@ -235,11 +235,11 @@ query "deployment_host_network_access_disabled" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when template -> 'spec' ->> 'hostNetwork' = 'true' then 'alarm'
when (template -> 'spec' ->> 'hostNetwork')::bool then 'alarm'
else 'ok'
end as status,
case
when template -> 'spec' ->> 'hostNetwork' = 'true' then 'Deployment pods using host network.'
when (template -> 'spec' ->> 'hostNetwork')::bool then 'Deployment pods using host network.'
else 'Deployment pods not using host network.'
end as reason,
name as deployment_name
Expand Down Expand Up @@ -276,11 +276,11 @@ query "deployment_non_root_container" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then 'ok'
when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then 'ok'
else 'alarm'
end as status,
case
when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then c ->> 'name' || ' not running with root privilege.'
when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then c ->> 'name' || ' not running with root privilege.'
else c ->> 'name' || ' running with root privilege.'
end as reason,
name as deployment_name
Expand Down Expand Up @@ -318,12 +318,12 @@ query "deployment_hostpid_hostipc_sharing_disabled" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when template -> 'spec' ->> 'hostPID' = 'true' or template -> 'spec' ->> 'hostIPC' = 'true' then 'alarm'
when (template -> 'spec' ->> 'hostPID')::bool or (template -> 'spec' ->> 'hostIPC')::bool then 'alarm'
else 'ok'
end as status,
case
when template -> 'spec' ->> 'hostPID' = 'true' then 'Deployment pods share host pid namespaces.'
when template -> 'spec' ->> 'hostIPC' = 'true' then 'Deployment pods share host ipc namespaces.'
when (template -> 'spec' ->> 'hostPID')::bool then 'Deployment pods share host pid namespaces.'
when (template -> 'spec' ->> 'hostIPC')::bool then 'Deployment pods share host ipc namespaces.'
else 'Deployment pods cannot share host process namespaces.'
end as reason,
name as deployment_name
Expand Down
22 changes: 11 additions & 11 deletions query/job.sp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,11 +66,11 @@ query "job_host_network_access_disabled" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when template -> 'spec' ->> 'hostNetwork' = 'true' then 'alarm'
when (template -> 'spec' ->> 'hostNetwork')::bool then 'alarm'
else 'ok'
end as status,
case
when template -> 'spec' ->> 'hostNetwork' = 'true' then 'Job pods using host network.'
when (template -> 'spec' ->> 'hostNetwork')::bool then 'Job pods using host network.'
else 'Job pods not using host network.'
end as reason,
name as job_name
Expand Down Expand Up @@ -133,11 +133,11 @@ query "job_immutable_container_filesystem" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then 'ok'
when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then 'ok'
else 'alarm'
end as status,
case
when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then c ->> 'name' || ' running with read-only root file system.'
when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then c ->> 'name' || ' running with read-only root file system.'
else c ->> 'name' || ' not running with read-only root file system.'
end as reason,
name as job_name
Expand Down Expand Up @@ -217,11 +217,11 @@ query "job_non_root_container" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then 'ok'
when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then 'ok'
else 'alarm'
end as status,
case
when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then c ->> 'name' || ' not running with root privilege.'
when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then c ->> 'name' || ' not running with root privilege.'
else c ->> 'name' || ' running with root privilege.'
end as reason,
name as job_name
Expand All @@ -238,12 +238,12 @@ query "job_hostpid_hostipc_sharing_disabled" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when template -> 'spec' ->> 'hostPID' = 'true' or template -> 'spec' ->> 'hostIPC' = 'true' then 'alarm'
when (template -> 'spec' ->> 'hostPID')::bool or (template -> 'spec' ->> 'hostIPC')::bool then 'alarm'
else 'ok'
end as status,
case
when template -> 'spec' ->> 'hostPID' = 'true' then 'Job pods share host PID namespaces.'
when template -> 'spec' ->> 'hostIPC' = 'true' then 'Job pods share host IPC namespaces.'
when (template -> 'spec' ->> 'hostPID')::bool then 'Job pods share host PID namespaces.'
when (template -> 'spec' ->> 'hostIPC')::bool then 'Job pods share host IPC namespaces.'
else 'Job pods cannot share host process namespaces.'
end as reason,
name as job_name
Expand Down Expand Up @@ -280,11 +280,11 @@ query "job_container_privilege_disabled" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when c -> 'securityContext' ->> 'privileged' = 'true' then 'alarm'
when (c -> 'securityContext' ->> 'privileged')::bool then 'alarm'
else 'ok'
end as status,
case
when c -> 'securityContext' ->> 'privileged' = 'true' then c ->> 'name' || ' privileged container.'
when (c -> 'securityContext' ->> 'privileged')::bool then c ->> 'name' || ' privileged container.'
else c ->> 'name' || ' not privileged container.'
end as reason,
name as job_name
Expand Down
16 changes: 8 additions & 8 deletions query/pod.sp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,11 +72,11 @@ query "pod_immutable_container_filesystem" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then 'ok'
when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then 'ok'
else 'alarm'
end as status,
case
when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then c ->> 'name' || ' running with read-only root file system.'
when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then c ->> 'name' || ' running with read-only root file system.'
else c ->> 'name' || ' not running with read-only root file system.'
end as reason,
name as pod_name
Expand All @@ -93,11 +93,11 @@ query "pod_non_root_container" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then 'ok'
when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then 'ok'
else 'alarm'
end as status,
case
when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then c ->> 'name' || ' not running with root privilege.'
when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then c ->> 'name' || ' not running with root privilege.'
else c ->> 'name' || ' running with root privilege.'
end as reason,
name as pod_name
Expand All @@ -114,11 +114,11 @@ query "pod_container_privilege_disabled" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when c -> 'securityContext' ->> 'privileged' = 'true' then 'alarm'
when (c -> 'securityContext' ->> 'privileged')::bool then 'alarm'
else 'ok'
end as status,
case
when c -> 'securityContext' ->> 'privileged' = 'true' then c ->> 'name' || ' running with privilege access.'
when (c -> 'securityContext' ->> 'privileged')::bool then c ->> 'name' || ' running with privilege access.'
else c ->> 'name' || ' not running with privilege access.'
end as reason,
name as pod_name
Expand Down Expand Up @@ -2582,11 +2582,11 @@ query "pod_service_account_token_enabled" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when (annotations ->> 'kubectl.kubernetes.io/last-applied-configuration')::jsonb -> 'spec' ->> 'automountServiceAccountToken' = 'true' then 'ok'
when ((annotations ->> 'kubectl.kubernetes.io/last-applied-configuration')::jsonb -> 'spec' ->> 'automountServiceAccountToken')::bool then 'ok'
else 'alarm'
end as status,
case
when (annotations ->> 'kubectl.kubernetes.io/last-applied-configuration')::jsonb -> 'spec' ->> 'automountServiceAccountToken' = 'true' then 'name' || ' service account tokens enabled.'
when ((annotations ->> 'kubectl.kubernetes.io/last-applied-configuration')::jsonb -> 'spec' ->> 'automountServiceAccountToken')::bool then 'name' || ' service account tokens enabled.'
else 'name' || ' service account tokens disabled.'
end as reason,
name as pod_name
Expand Down
8 changes: 4 additions & 4 deletions query/pod_template.sp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1077,11 +1077,11 @@ query "pod_template_container_privilege_disabled" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when c -> 'securityContext' ->> 'privileged' = 'true' then 'alarm'
when (c -> 'securityContext' ->> 'privileged')::bool then 'alarm'
else 'ok'
end as status,
case
when c -> 'securityContext' ->> 'privileged' = 'true' then c ->> 'name' || ' privileged container.'
when (c -> 'securityContext' ->> 'privileged')::bool then c ->> 'name' || ' privileged container.'
else c ->> 'name' || ' not privileged container.'
end as reason,
name as pod_template_name
Expand All @@ -1098,11 +1098,11 @@ query "pod_template_immutable_container_filesystem" {
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then 'ok'
when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then 'ok'
else 'alarm'
end as status,
case
when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then c ->> 'name' || ' running with read-only root file system.'
when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then c ->> 'name' || ' running with read-only root file system.'
else c ->> 'name' || ' not running with read-only root file system.'
end as reason,
name as pod_template_name
Expand Down
Loading

0 comments on commit 5a69367

Please sign in to comment.