Steampipe mods are now Powerpipe →
Powerpipe Hub 
Hub
Mods
turbot/kubernetes_compliance
Overview
4Dashboards
790Controls
781Queries
2Variables
GitHub

Query: network_policy_default_deny_ingress

Usage

powerpipe query kubernetes_compliance.query.network_policy_default_deny_ingress

Steampipe Tables

kubernetes_namespace
kubernetes_network_policy
Kubernetes plugin

SQL

with default_deny_ingress_count as (
  select
    ns.uid,
    ns.name as namespace,
    ns.context_name,
    count(pol.*) as num_netpol,
    ns.tags,
    ns._ctx,
    ns.path,
    ns.start_line,
    ns.end_line,
    ns.source_type,
    -- Get the count of default deny Ingress policy assoicated to each namespace
    count(*) filter (
      where
        policy_types @> '["Ingress"]'
        and pod_selector = '{}'
        and ingress is null
    ) AS num_default_deny
  from
    kubernetes_namespace as ns
    left join kubernetes_network_policy as pol on pol.namespace = ns.name
    and pol.source_type = ns.source_type
  group by
    ns.name,
    ns.uid,
    ns.context_name,
    ns.tags,
    ns._ctx,
    ns.path,
    ns.start_line,
    ns.end_line,
    ns.source_type
)
select
  coalesce(uid, concat(path, ':', start_line)) as resource,
  case
    when num_default_deny > 0 then 'ok'
    else 'alarm'
  end as status,
  namespace || ' has ' || num_default_deny || ' default deny ingress policies.' as reason,
  coalesce(context_name, '') as context_name,
  namespace,
  source_type,
  coalesce(path || ':' || start_line || '-' || end_line, '') as path
from
  default_deny_ingress_count;

Controls

The query is being used by the following controls: