Table: kubernetes_pod_security_policy - Query Kubernetes Pod Security Policies using SQL

A Pod Security Policy is a cluster-level resource in Kubernetes that controls security-sensitive aspects of the pod specification. It establishes the default security settings for a pod, and can include settings such as the types of volumes that a pod can mount, the use of host networking and ports, and the execution of privileged operations. By defining these policies, administrators can enforce certain security standards across all pods within a cluster.

Table Usage Guide

The kubernetes_pod_security_policy table provides insights into Pod Security Policies within a Kubernetes cluster. As a security engineer or Kubernetes administrator, explore policy-specific details through this table, including allowed and disallowed operations, volume types, and host networking configurations. Utilize it to uncover information about policies, such as those that allow privileged operations, the use of host networking, and the mounting of certain volume types.

Examples

Basic Info

Explore the security policies of your Kubernetes pods to understand how they're configured. This can help identify potential vulnerabilities and ensure that your system is robustly protected.

select
  name,
  allow_privilege_escalation,
  default_allow_privilege_escalation,
  host_network,
  host_ports,
  host_pid,
  host_ipc,
  privileged,
  read_only_root_filesystem,
  allowed_csi_drivers,
  allowed_host_paths
from
  kubernetes_pod_security_policy
order by
  name;

select
  name,
  allow_privilege_escalation,
  default_allow_privilege_escalation,
  host_network,
  host_ports,
  host_pid,
  host_ipc,
  privileged,
  read_only_root_filesystem,
  allowed_csi_drivers,
  allowed_host_paths
from
  kubernetes_pod_security_policy
order by
  name;

List policies which allows access to the host process ID, IPC, or network namespace

Discover the segments that have policies allowing access to the host process ID, IPC, or network namespace. This is particularly useful in identifying potential security risks within your Kubernetes pod security policies.

select
  name,
  host_pid,
  host_ipc,
  host_network
from
  kubernetes_pod_security_policy
where
  host_pid
  or host_ipc
  or host_network;

select
  name,
  host_pid,
  host_ipc,
  host_network
from
  kubernetes_pod_security_policy
where
  host_pid = 1
  or host_ipc = 1
  or host_network = 1;

List policies which allows a pod to be privileged

Explore which pod security policies permit a pod to have privileged status. This can be useful for understanding potential security risks and ensuring compliance with best practice guidelines.

select
  name
from
  kubernetes_pod_security_policy
where
  privileged;

select
  name
from
  kubernetes_pod_security_policy
where
  privileged = 1;

List manifest resources

Explore which Kubernetes pod security policies have a defined path. This can be useful to identify potential security risks and ensure best practices are being followed.

select
  name,
  allow_privilege_escalation,
  default_allow_privilege_escalation,
  host_network,
  host_ports,
  host_pid,
  host_ipc,
  privileged,
  read_only_root_filesystem,
  allowed_csi_drivers,
  allowed_host_paths,
  path
from
  kubernetes_pod_security_policy
where
  path is not null
order by
  name;

select
  name,
  allow_privilege_escalation,
  default_allow_privilege_escalation,
  host_network,
  host_ports,
  host_pid,
  host_ipc,
  privileged,
  read_only_root_filesystem,
  allowed_csi_drivers,
  allowed_host_paths,
  path
from
  kubernetes_pod_security_policy
where
  path is not null
order by
  name;

Query examples

Control examples

Schema for kubernetes_pod_security_policy

Name	Type	Description
_ctx	jsonb	Steampipe context in JSON form.
allow_privilege_escalation	boolean	Determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.
allowed_csi_drivers	jsonb	An allowlist of inline CSI drivers that must be explicitly set to be embedded within a pod spec.
allowed_flex_volumes	jsonb	An allowlist of Flexvolumes. Empty or nil indicates that all Flexvolumes may be used.
allowed_host_paths	jsonb	An allowlist of host paths. Empty indicates that all host paths may be used.
allowed_proc_mount_types	jsonb	An allowlist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used.
allowed_unsafe_sysctls	jsonb	List of explicitly allowed unsafe sysctls, defaults to none.
annotations	jsonb	Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata.
context_name	text	Kubectl config context name.
creation_timestamp	timestamp with time zone	CreationTimestamp is a timestamp representing the server time when this object was created.
default_add_capabilities	jsonb	List of the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability.
default_allow_privilege_escalation	boolean	Controls the default setting for whether a process can gain more privileges than its parent process.
deletion_grace_period_seconds	bigint	Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set.
deletion_timestamp	timestamp with time zone	DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted.
end_line	bigint	The path to the manifest file.
finalizers	jsonb	Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed.
forbidden_sysctls	jsonb	List of explicitly forbidden sysctls, defaults to none.
fs_group	jsonb	The strategy that will dictate what fs group is used by the SecurityContext.
generate_name	text	GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided.
generation	bigint	A sequence number representing a specific generation of the desired state.
host_ipc	boolean	Determines if the policy allows the use of HostIPC in the pod spec.
host_network	boolean	Determines if the policy allows the use of HostNetwork in the pod spec.
host_pid	boolean	Determines if the policy allows the use of HostPID in the pod spec.
host_ports	jsonb	Determines which host port ranges are allowed to be exposed.
labels	jsonb	Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services.
name	text	Name of the object. Name must be unique within a namespace.
owner_references	jsonb	List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.
path	text	The path to the manifest file.
privileged	boolean	privileged determines if a pod can request to be run as privileged.
read_only_root_filesystem	boolean	If set to true will force containers to run with a read only root file system. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.
required_drop_capabilities	jsonb	List of the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.
resource_version	text	An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed.
run_as_group	jsonb	The strategy that will dictate the allowable RunAsGroup values that may be set.
run_as_user	jsonb	The strategy that will dictate the allowable RunAsUser values that may be set.
runtime_class	jsonb	The strategy that will dictate the allowable RuntimeClasses for a pod.
se_linux	jsonb	The strategy that will dictate the allowable labels that may be set.
source_type	text	The source of the resource. Possible values are: deployed and manifest. If the resource is fetched from the spec file the value will be manifest.
sp_connection_name	text	Steampipe connection name.
sp_ctx	jsonb	Steampipe context in JSON form.
start_line	bigint	The path to the manifest file.
supplemental_groups	jsonb	The strategy that will dictate what supplemental groups are used by the SecurityContext.
tags	jsonb	A map of tags for the resource. This includes both labels and annotations.
title	text	Title of the resource.
uid	text	UID is the unique in time and space value for this object.
volumes	jsonb	An allowlist of volume plugins. Empty indicates that no volumes may be used.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- kubernetes

You can pass the configuration to the command with the --config argument:

steampipe_export_kubernetes --config '<your_config>' kubernetes_pod_security_policy