Query: Ingress definition should not have NGINX ingress annotation snippets containing lua code snippets

Description

This check ensures that the NGINX ingress annotation snippets in the Ingress do not contain lua code snippets.

Query

Tables used in this query:

kubernetes_ingress

Controls using this query:

Ingress definition should not have NGINX ingress annotation snippets containing lua code snippets

SQL

select
  coalesce(uid, concat(path, ':', start_line)) as resource,
  case
    when a.key like '%snippet%'
    and a.value ~ '(lua_|_lua|_lua_|kubernetes\.io)' then 'alarm'
    else 'ok'
  end as status,
  case
    when a.key like '%snippet%'
    and a.value ~ '(lua_|_lua|_lua_|kubernetes\.io)' then a.key || ' annotation snippet contains lua code execution.'
    else a.key || ' annotation snippet does not contain lua code execution.'
  end as reason,
  name as ingress_name,
  coalesce(context_name, '') as context_name,
  namespace,
  source_type,
  coalesce(path || ':' || start_line || '-' || end_line, '') as path
from
  kubernetes_ingress,
  jsonb_each_text(annotations) as a;