From c618f8787334a9675596d4694901a45eb354a88c Mon Sep 17 00:00:00 2001 From: khushboo9024 Date: Wed, 18 Oct 2023 19:00:37 +0530 Subject: [PATCH] update query to cast the data to boolean --- query/cronjob.sp | 24 ++++++++++++------------ query/daemonset.sp | 22 +++++++++++----------- query/deployment.sp | 22 +++++++++++----------- query/job.sp | 22 +++++++++++----------- query/pod.sp | 16 ++++++++-------- query/pod_template.sp | 8 ++++---- query/replicaset.sp | 22 +++++++++++----------- query/replication_controller.sp | 22 +++++++++++----------- query/statefulset.sp | 22 +++++++++++----------- 9 files changed, 90 insertions(+), 90 deletions(-) diff --git a/query/cronjob.sp b/query/cronjob.sp index 2dea5f0..94fba78 100644 --- a/query/cronjob.sp +++ b/query/cronjob.sp @@ -51,11 +51,11 @@ query "cronjob_container_privilege_disabled" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'privileged' = 'true' then 'alarm' + when (c -> 'securityContext' ->> 'privileged')::bool then 'alarm' else 'ok' end as status, case - when c -> 'securityContext' ->> 'privileged' = 'true' then c ->> 'name' || ' privileged container.' + when (c -> 'securityContext' ->> 'privileged')::bool then c ->> 'name' || ' privileged container.' else c ->> 'name' || ' not privileged container.' end as reason, name as cronjob_name @@ -93,11 +93,11 @@ query "cronjob_immutable_container_filesystem" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then 'ok' + when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then 'ok' else 'alarm' end as status, case - when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then c ->> 'name' || ' running with read-only root file system.' + when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then c ->> 'name' || ' running with read-only root file system.' else c ->> 'name' || ' not running with read-only root file system.' end as reason, name as cronjob_name @@ -114,11 +114,11 @@ query "cronjob_host_network_access_disabled" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when job_template -> 'spec' -> 'template' -> 'spec' ->> 'hostNetwork' = 'true' then 'alarm' + when (job_template -> 'spec' -> 'template' -> 'spec' ->> 'hostNetwork')::bool then 'alarm' else 'ok' end as status, case - when job_template -> 'spec' -> 'template' -> 'spec' ->> 'hostNetwork' = 'true' then 'CronJob pods using host network.' + when (job_template -> 'spec' -> 'template' -> 'spec' ->> 'hostNetwork')::bool then 'CronJob pods using host network.' else 'CronJob pods not using host network.' end as reason, name as cronjob_name @@ -239,11 +239,11 @@ query "cronjob_non_root_container" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then 'ok' + when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then 'ok' else 'alarm' end as status, case - when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then c ->> 'name' || ' not running with root privilege.' + when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then c ->> 'name' || ' not running with root privilege.' else c ->> 'name' || ' running with root privilege.' end as reason, name as cronjob_name @@ -281,13 +281,13 @@ query "cronjob_hostpid_hostipc_sharing_disabled" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when job_template -> 'spec' -> 'template' -> 'spec' ->> 'hostPID' = 'true' - or job_template -> 'spec' -> 'template' -> 'spec' ->> 'hostIPC' = 'true' then 'alarm' + when (job_template -> 'spec' -> 'template' -> 'spec' ->> 'hostPID')::bool + or (job_template -> 'spec' -> 'template' -> 'spec' ->> 'hostIPC')::bool then 'alarm' else 'ok' end as status, case - when job_template -> 'spec' -> 'template' -> 'spec' ->> 'hostPID' = 'true' then 'CronJob pods share host pid namespaces.' - when job_template -> 'spec' -> 'template' -> 'spec' ->> 'hostIPC' = 'true' then 'CronJob pods share host ipc namespaces.' + when (job_template -> 'spec' -> 'template' -> 'spec' ->> 'hostPID')::bool then 'CronJob pods share host pid namespaces.' + when (job_template -> 'spec' -> 'template' -> 'spec' ->> 'hostIPC')::bool then 'CronJob pods share host ipc namespaces.' else 'CronJob pods cannot share host process namespaces.' end as reason, name as cronjob_name diff --git a/query/daemonset.sp b/query/daemonset.sp index 4a0aabc..6e048c6 100644 --- a/query/daemonset.sp +++ b/query/daemonset.sp @@ -66,11 +66,11 @@ query "daemonset_immutable_container_filesystem" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then 'ok' + when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then 'ok' else 'alarm' end as status, case - when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then c ->> 'name' || ' running with read-only root file system.' + when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then c ->> 'name' || ' running with read-only root file system.' else c ->> 'name' || ' not running with read-only root file system.' end as reason, name as daemonset_name @@ -135,11 +135,11 @@ query "daemonset_host_network_access_disabled" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when template -> 'spec' ->> 'hostNetwork' = 'true' then 'alarm' + when (template -> 'spec' ->> 'hostNetwork')::bool then 'alarm' else 'ok' end as status, case - when template -> 'spec' ->> 'hostNetwork' = 'true' then 'DaemonSet pods using host network.' + when (template -> 'spec' ->> 'hostNetwork')::bool then 'DaemonSet pods using host network.' else 'DaemonSet pods not using host network.' end as reason, name as daemonset_name @@ -155,12 +155,12 @@ query "daemonset_hostpid_hostipc_sharing_disabled" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when template -> 'spec' ->> 'hostPID' = 'true' or template -> 'spec' ->> 'hostIPC' = 'true' then 'alarm' + when (template -> 'spec' ->> 'hostPID')::bool or (template -> 'spec' ->> 'hostIPC')::bool then 'alarm' else 'ok' end as status, case - when template -> 'spec' ->> 'hostPID' = 'true' then 'DaemonSet pods share host PID namespaces.' - when template -> 'spec' ->> 'hostIPC' = 'true' then 'DaemonSet pods share host IPC namespaces.' + when (template -> 'spec' ->> 'hostPID')::bool then 'DaemonSet pods share host PID namespaces.' + when (template -> 'spec' ->> 'hostIPC')::bool then 'DaemonSet pods share host IPC namespaces.' else 'DaemonSet pods cannot share host process namespaces.' end as reason, name as daemonset_name @@ -260,11 +260,11 @@ query "daemonset_non_root_container" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then 'ok' + when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then 'ok' else 'alarm' end as status, case - when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then c ->> 'name' || ' not running with root privilege.' + when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then c ->> 'name' || ' not running with root privilege.' else c ->> 'name' || ' running with root privilege.' end as reason, name as daemonset_name @@ -281,11 +281,11 @@ query "daemonset_container_privilege_disabled" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'privileged' = 'true' then 'alarm' + when (c -> 'securityContext' ->> 'privileged')::bool then 'alarm' else 'ok' end as status, case - when c -> 'securityContext' ->> 'privileged' = 'true' then c ->> 'name' || ' privileged container.' + when (c -> 'securityContext' ->> 'privileged')::bool then c ->> 'name' || ' privileged container.' else c ->> 'name' || ' not privileged container.' end as reason, name as daemonset_name diff --git a/query/deployment.sp b/query/deployment.sp index 5582514..2e19cdd 100644 --- a/query/deployment.sp +++ b/query/deployment.sp @@ -61,11 +61,11 @@ query "deployment_immutable_container_filesystem" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then 'ok' + when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then 'ok' else 'alarm' end as status, case - when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then c ->> 'name' || ' running with read-only root file system.' + when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then c ->> 'name' || ' running with read-only root file system.' else c ->> 'name' || ' not running with read-only root file system.' end as reason, name as deployment_name @@ -103,11 +103,11 @@ query "deployment_container_privilege_disabled" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'privileged' = 'true' then 'alarm' + when (c -> 'securityContext' ->> 'privileged')::bool then 'alarm' else 'ok' end as status, case - when c -> 'securityContext' ->> 'privileged' = 'true' then c ->> 'name' || ' privileged container.' + when (c -> 'securityContext' ->> 'privileged')::bool then c ->> 'name' || ' privileged container.' else c ->> 'name' || ' not privileged container.' end as reason, name as deployment_name @@ -235,11 +235,11 @@ query "deployment_host_network_access_disabled" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when template -> 'spec' ->> 'hostNetwork' = 'true' then 'alarm' + when (template -> 'spec' ->> 'hostNetwork')::bool then 'alarm' else 'ok' end as status, case - when template -> 'spec' ->> 'hostNetwork' = 'true' then 'Deployment pods using host network.' + when (template -> 'spec' ->> 'hostNetwork')::bool then 'Deployment pods using host network.' else 'Deployment pods not using host network.' end as reason, name as deployment_name @@ -276,11 +276,11 @@ query "deployment_non_root_container" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then 'ok' + when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then 'ok' else 'alarm' end as status, case - when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then c ->> 'name' || ' not running with root privilege.' + when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then c ->> 'name' || ' not running with root privilege.' else c ->> 'name' || ' running with root privilege.' end as reason, name as deployment_name @@ -318,12 +318,12 @@ query "deployment_hostpid_hostipc_sharing_disabled" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when template -> 'spec' ->> 'hostPID' = 'true' or template -> 'spec' ->> 'hostIPC' = 'true' then 'alarm' + when (template -> 'spec' ->> 'hostPID')::bool or (template -> 'spec' ->> 'hostIPC')::bool then 'alarm' else 'ok' end as status, case - when template -> 'spec' ->> 'hostPID' = 'true' then 'Deployment pods share host pid namespaces.' - when template -> 'spec' ->> 'hostIPC' = 'true' then 'Deployment pods share host ipc namespaces.' + when (template -> 'spec' ->> 'hostPID')::bool then 'Deployment pods share host pid namespaces.' + when (template -> 'spec' ->> 'hostIPC')::bool then 'Deployment pods share host ipc namespaces.' else 'Deployment pods cannot share host process namespaces.' end as reason, name as deployment_name diff --git a/query/job.sp b/query/job.sp index 093605a..1140365 100644 --- a/query/job.sp +++ b/query/job.sp @@ -66,11 +66,11 @@ query "job_host_network_access_disabled" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when template -> 'spec' ->> 'hostNetwork' = 'true' then 'alarm' + when (template -> 'spec' ->> 'hostNetwork')::bool then 'alarm' else 'ok' end as status, case - when template -> 'spec' ->> 'hostNetwork' = 'true' then 'Job pods using host network.' + when (template -> 'spec' ->> 'hostNetwork')::bool then 'Job pods using host network.' else 'Job pods not using host network.' end as reason, name as job_name @@ -133,11 +133,11 @@ query "job_immutable_container_filesystem" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then 'ok' + when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then 'ok' else 'alarm' end as status, case - when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then c ->> 'name' || ' running with read-only root file system.' + when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then c ->> 'name' || ' running with read-only root file system.' else c ->> 'name' || ' not running with read-only root file system.' end as reason, name as job_name @@ -217,11 +217,11 @@ query "job_non_root_container" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then 'ok' + when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then 'ok' else 'alarm' end as status, case - when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then c ->> 'name' || ' not running with root privilege.' + when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then c ->> 'name' || ' not running with root privilege.' else c ->> 'name' || ' running with root privilege.' end as reason, name as job_name @@ -238,12 +238,12 @@ query "job_hostpid_hostipc_sharing_disabled" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when template -> 'spec' ->> 'hostPID' = 'true' or template -> 'spec' ->> 'hostIPC' = 'true' then 'alarm' + when (template -> 'spec' ->> 'hostPID')::bool or (template -> 'spec' ->> 'hostIPC')::bool then 'alarm' else 'ok' end as status, case - when template -> 'spec' ->> 'hostPID' = 'true' then 'Job pods share host PID namespaces.' - when template -> 'spec' ->> 'hostIPC' = 'true' then 'Job pods share host IPC namespaces.' + when (template -> 'spec' ->> 'hostPID')::bool then 'Job pods share host PID namespaces.' + when (template -> 'spec' ->> 'hostIPC')::bool then 'Job pods share host IPC namespaces.' else 'Job pods cannot share host process namespaces.' end as reason, name as job_name @@ -280,11 +280,11 @@ query "job_container_privilege_disabled" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'privileged' = 'true' then 'alarm' + when (c -> 'securityContext' ->> 'privileged')::bool then 'alarm' else 'ok' end as status, case - when c -> 'securityContext' ->> 'privileged' = 'true' then c ->> 'name' || ' privileged container.' + when (c -> 'securityContext' ->> 'privileged')::bool then c ->> 'name' || ' privileged container.' else c ->> 'name' || ' not privileged container.' end as reason, name as job_name diff --git a/query/pod.sp b/query/pod.sp index 3749b9c..a8924e4 100644 --- a/query/pod.sp +++ b/query/pod.sp @@ -72,11 +72,11 @@ query "pod_immutable_container_filesystem" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then 'ok' + when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then 'ok' else 'alarm' end as status, case - when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then c ->> 'name' || ' running with read-only root file system.' + when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then c ->> 'name' || ' running with read-only root file system.' else c ->> 'name' || ' not running with read-only root file system.' end as reason, name as pod_name @@ -93,11 +93,11 @@ query "pod_non_root_container" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then 'ok' + when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then 'ok' else 'alarm' end as status, case - when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then c ->> 'name' || ' not running with root privilege.' + when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then c ->> 'name' || ' not running with root privilege.' else c ->> 'name' || ' running with root privilege.' end as reason, name as pod_name @@ -114,11 +114,11 @@ query "pod_container_privilege_disabled" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'privileged' = 'true' then 'alarm' + when (c -> 'securityContext' ->> 'privileged')::bool then 'alarm' else 'ok' end as status, case - when c -> 'securityContext' ->> 'privileged' = 'true' then c ->> 'name' || ' running with privilege access.' + when (c -> 'securityContext' ->> 'privileged')::bool then c ->> 'name' || ' running with privilege access.' else c ->> 'name' || ' not running with privilege access.' end as reason, name as pod_name @@ -2582,11 +2582,11 @@ query "pod_service_account_token_enabled" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when (annotations ->> 'kubectl.kubernetes.io/last-applied-configuration')::jsonb -> 'spec' ->> 'automountServiceAccountToken' = 'true' then 'ok' + when ((annotations ->> 'kubectl.kubernetes.io/last-applied-configuration')::jsonb -> 'spec' ->> 'automountServiceAccountToken')::bool then 'ok' else 'alarm' end as status, case - when (annotations ->> 'kubectl.kubernetes.io/last-applied-configuration')::jsonb -> 'spec' ->> 'automountServiceAccountToken' = 'true' then 'name' || ' service account tokens enabled.' + when ((annotations ->> 'kubectl.kubernetes.io/last-applied-configuration')::jsonb -> 'spec' ->> 'automountServiceAccountToken')::bool then 'name' || ' service account tokens enabled.' else 'name' || ' service account tokens disabled.' end as reason, name as pod_name diff --git a/query/pod_template.sp b/query/pod_template.sp index 20f3316..64326f9 100644 --- a/query/pod_template.sp +++ b/query/pod_template.sp @@ -1077,11 +1077,11 @@ query "pod_template_container_privilege_disabled" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'privileged' = 'true' then 'alarm' + when (c -> 'securityContext' ->> 'privileged')::bool then 'alarm' else 'ok' end as status, case - when c -> 'securityContext' ->> 'privileged' = 'true' then c ->> 'name' || ' privileged container.' + when (c -> 'securityContext' ->> 'privileged')::bool then c ->> 'name' || ' privileged container.' else c ->> 'name' || ' not privileged container.' end as reason, name as pod_template_name @@ -1098,11 +1098,11 @@ query "pod_template_immutable_container_filesystem" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then 'ok' + when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then 'ok' else 'alarm' end as status, case - when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then c ->> 'name' || ' running with read-only root file system.' + when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then c ->> 'name' || ' running with read-only root file system.' else c ->> 'name' || ' not running with read-only root file system.' end as reason, name as pod_template_name diff --git a/query/replicaset.sp b/query/replicaset.sp index 506d1d0..996c89f 100644 --- a/query/replicaset.sp +++ b/query/replicaset.sp @@ -24,11 +24,11 @@ query "replicaset_container_privilege_disabled" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'privileged' = 'true' then 'alarm' + when (c -> 'securityContext' ->> 'privileged')::bool then 'alarm' else 'ok' end as status, case - when c -> 'securityContext' ->> 'privileged' = 'true' then c ->> 'name' || ' privileged container.' + when (c -> 'securityContext' ->> 'privileged')::bool then c ->> 'name' || ' privileged container.' else c ->> 'name' || ' not privileged container.' end as reason, name as replicaset_name @@ -72,11 +72,11 @@ query "replicaset_non_root_container" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then 'ok' + when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then 'ok' else 'alarm' end as status, case - when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then c ->> 'name' || ' not running with root privilege.' + when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then c ->> 'name' || ' not running with root privilege.' else c ->> 'name' || ' running with root privilege.' end as reason, name as replicaset_name @@ -135,11 +135,11 @@ query "replicaset_immutable_container_filesystem" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then 'ok' + when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then 'ok' else 'alarm' end as status, case - when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then c ->> 'name' || ' running with read-only root file system.' + when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then c ->> 'name' || ' running with read-only root file system.' else c ->> 'name' || ' not running with read-only root file system.' end as reason, name as replicaset_name @@ -239,11 +239,11 @@ query "replicaset_host_network_access_disabled" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when template -> 'spec' ->> 'hostNetwork' = 'true' then 'alarm' + when (template -> 'spec' ->> 'hostNetwork')::bool then 'alarm' else 'ok' end as status, case - when template -> 'spec' ->> 'hostNetwork' = 'true' then 'ReplicaSet pods using host network.' + when (template -> 'spec' ->> 'hostNetwork')::bool then 'ReplicaSet pods using host network.' else 'ReplicaSet pods not using host network.' end as reason, name as replicaset_name @@ -259,12 +259,12 @@ query "replicaset_hostpid_hostipc_sharing_disabled" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when template -> 'spec' ->> 'hostPID' = 'true' or template -> 'spec' ->> 'hostIPC' = 'true' then 'alarm' + when (template -> 'spec' ->> 'hostPID')::bool or (template -> 'spec' ->> 'hostIPC')::bool then 'alarm' else 'ok' end as status, case - when template -> 'spec' ->> 'hostPID' = 'true' then 'ReplicaSet pods share host PID namespaces.' - when template -> 'spec' ->> 'hostIPC' = 'true' then 'ReplicaSet pods share host IPC namespaces.' + when (template -> 'spec' ->> 'hostPID')::bool then 'ReplicaSet pods share host PID namespaces.' + when (template -> 'spec' ->> 'hostIPC')::bool then 'ReplicaSet pods share host IPC namespaces.' else 'ReplicaSet pods cannot share host process namespaces.' end as reason, name as replicaset_name diff --git a/query/replication_controller.sp b/query/replication_controller.sp index d0418b8..0ca8a40 100644 --- a/query/replication_controller.sp +++ b/query/replication_controller.sp @@ -24,11 +24,11 @@ query "replication_controller_host_network_access_disabled" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when template -> 'spec' ->> 'hostNetwork' = 'true' then 'alarm' + when (template -> 'spec' ->> 'hostNetwork')::bool then 'alarm' else 'ok' end as status, case - when template -> 'spec' ->> 'hostNetwork' = 'true' then 'ReplicationController pods using host network.' + when (template -> 'spec' ->> 'hostNetwork')::bool then 'ReplicationController pods using host network.' else 'ReplicationController pods not using host network.' end as reason, name as replication_controller_name @@ -44,11 +44,11 @@ query "replication_controller_non_root_container" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then 'ok' + when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then 'ok' else 'alarm' end as status, case - when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then c ->> 'name' || ' not running with root privilege.' + when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then c ->> 'name' || ' not running with root privilege.' else c ->> 'name' || ' running with root privilege.' end as reason, name as replication_controller_name @@ -127,12 +127,12 @@ query "replication_controller_hostpid_hostipc_sharing_disabled" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when template -> 'spec' ->> 'hostPID' = 'true' or template -> 'spec' ->> 'hostIPC' = 'true' then 'alarm' + when (template -> 'spec' ->> 'hostPID')::bool or (template -> 'spec' ->> 'hostIPC')::bool then 'alarm' else 'ok' end as status, case - when template -> 'spec' ->> 'hostPID' = 'true' then 'ReplicationController pods share host PID namespaces.' - when template -> 'spec' ->> 'hostIPC' = 'true' then 'ReplicationController pods share host IPC namespaces.' + when (template -> 'spec' ->> 'hostPID')::bool then 'ReplicationController pods share host PID namespaces.' + when (template -> 'spec' ->> 'hostIPC')::bool then 'ReplicationController pods share host IPC namespaces.' else 'ReplicationController pods cannot share host process namespaces.' end as reason, name as replication_controller_name @@ -175,11 +175,11 @@ query "replication_controller_container_privilege_disabled" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'privileged' = 'true' then 'alarm' + when (c -> 'securityContext' ->> 'privileged')::bool then 'alarm' else 'ok' end as status, case - when c -> 'securityContext' ->> 'privileged' = 'true' then c ->> 'name' || ' privileged container.' + when (c -> 'securityContext' ->> 'privileged')::bool then c ->> 'name' || ' privileged container.' else c ->> 'name' || ' not privileged container.' end as reason, name as replication_controller_name @@ -280,11 +280,11 @@ query "replication_controller_immutable_container_filesystem" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then 'ok' + when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then 'ok' else 'alarm' end as status, case - when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then c ->> 'name' || ' running with read-only root file system.' + when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then c ->> 'name' || ' running with read-only root file system.' else c ->> 'name' || ' not running with read-only root file system.' end as reason, name as replication_controller_name diff --git a/query/statefulset.sp b/query/statefulset.sp index 5c07c09..23da5ba 100644 --- a/query/statefulset.sp +++ b/query/statefulset.sp @@ -24,11 +24,11 @@ query "statefulset_non_root_container" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then 'ok' + when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then 'ok' else 'alarm' end as status, case - when c -> 'securityContext' ->> 'runAsNonRoot' = 'true' then c ->> 'name' || ' not running with root privilege.' + when (c -> 'securityContext' ->> 'runAsNonRoot')::bool then c ->> 'name' || ' not running with root privilege.' else c ->> 'name' || ' running with root privilege.' end as reason, name as stateful_set_name @@ -66,11 +66,11 @@ query "statefulset_immutable_container_filesystem" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then 'ok' + when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then 'ok' else 'alarm' end as status, case - when c -> 'securityContext' ->> 'readOnlyRootFilesystem' = 'true' then c ->> 'name' || ' running with read-only root file system.' + when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then c ->> 'name' || ' running with read-only root file system.' else c ->> 'name' || ' not running with read-only root file system.' end as reason, name as stateful_set_name @@ -87,11 +87,11 @@ query "statefulset_host_network_access_disabled" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when template -> 'spec' ->> 'hostNetwork' = 'true' then 'alarm' + when (template -> 'spec' ->> 'hostNetwork')::bool then 'alarm' else 'ok' end as status, case - when template -> 'spec' ->> 'hostNetwork' = 'true' then 'StatefulSet pods using host network.' + when (template -> 'spec' ->> 'hostNetwork')::bool then 'StatefulSet pods using host network.' else 'StatefulSet pods not using host network.' end as reason, name as stateful_set_name @@ -281,12 +281,12 @@ query "statefulset_hostpid_hostipc_sharing_disabled" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when template -> 'spec' ->> 'hostPID' = 'true' or template -> 'spec' ->> 'hostIPC' = 'true' then 'alarm' + when (template -> 'spec' ->> 'hostPID')::bool or (template -> 'spec' ->> 'hostIPC')::bool then 'alarm' else 'ok' end as status, case - when template -> 'spec' ->> 'hostPID' = 'true' then 'StatefulSet pods share host PID namespaces.' - when template -> 'spec' ->> 'hostIPC' = 'true' then 'StatefulSet pods share host IPC namespaces.' + when (template -> 'spec' ->> 'hostPID')::bool then 'StatefulSet pods share host PID namespaces.' + when (template -> 'spec' ->> 'hostIPC')::bool then 'StatefulSet pods share host IPC namespaces.' else 'StatefulSet pods cannot share host process namespaces.' end as reason, name as stateful_set_name @@ -302,11 +302,11 @@ query "statefulset_container_privilege_disabled" { select coalesce(uid, concat(path, ':', start_line)) as resource, case - when c -> 'securityContext' ->> 'privileged' = 'true' then 'alarm' + when (c -> 'securityContext' ->> 'privileged')::bool then 'alarm' else 'ok' end as status, case - when c -> 'securityContext' ->> 'privileged' = 'true' then c ->> 'name' || ' privileged container.' + when (c -> 'securityContext' ->> 'privileged')::bool then c ->> 'name' || ' privileged container.' else c ->> 'name' || ' not privileged container.' end as reason, name as stateful_set_name