helm_charthelm_releasehelm_templatehelm_template_renderedhelm_valuekubernetes_cluster_rolekubernetes_cluster_role_bindingkubernetes_config_mapkubernetes_cronjobkubernetes_custom_resource_definitionkubernetes_daemonsetkubernetes_deploymentkubernetes_endpointkubernetes_endpoint_slicekubernetes_eventkubernetes_horizontal_pod_autoscalerkubernetes_ingresskubernetes_jobkubernetes_limit_rangekubernetes_namespacekubernetes_network_policykubernetes_nodekubernetes_persistent_volumekubernetes_persistent_volume_claimkubernetes_podkubernetes_pod_disruption_budgetkubernetes_pod_security_policykubernetes_pod_templatekubernetes_replicasetkubernetes_replication_controllerkubernetes_resource_quotakubernetes_rolekubernetes_role_bindingkubernetes_secretkubernetes_servicekubernetes_service_accountkubernetes_stateful_setkubernetes_storage_classkubernetes_{custom_resource_singular_name}
Table: kubernetes_pod_security_policy - Query Kubernetes Pod Security Policies using SQL
A Pod Security Policy is a cluster-level resource in Kubernetes that controls security-sensitive aspects of the pod specification. It establishes the default security settings for a pod, and can include settings such as the types of volumes that a pod can mount, the use of host networking and ports, and the execution of privileged operations. By defining these policies, administrators can enforce certain security standards across all pods within a cluster.
Table Usage Guide
The kubernetes_pod_security_policy table provides insights into Pod Security Policies within a Kubernetes cluster. As a security engineer or Kubernetes administrator, explore policy-specific details through this table, including allowed and disallowed operations, volume types, and host networking configurations. Utilize it to uncover information about policies, such as those that allow privileged operations, the use of host networking, and the mounting of certain volume types.
Examples
Basic Info
Explore the security policies of your Kubernetes pods to understand how they're configured. This can help identify potential vulnerabilities and ensure that your system is robustly protected.
select name, allow_privilege_escalation, default_allow_privilege_escalation, host_network, host_ports, host_pid, host_ipc, privileged, read_only_root_filesystem, allowed_csi_drivers, allowed_host_pathsfrom kubernetes_pod_security_policyorder by name;select name, allow_privilege_escalation, default_allow_privilege_escalation, host_network, host_ports, host_pid, host_ipc, privileged, read_only_root_filesystem, allowed_csi_drivers, allowed_host_pathsfrom kubernetes_pod_security_policyorder by name;List policies which allows access to the host process ID, IPC, or network namespace
Discover the segments that have policies allowing access to the host process ID, IPC, or network namespace. This is particularly useful in identifying potential security risks within your Kubernetes pod security policies.
select name, host_pid, host_ipc, host_networkfrom kubernetes_pod_security_policywhere host_pid or host_ipc or host_network;select name, host_pid, host_ipc, host_networkfrom kubernetes_pod_security_policywhere host_pid = 1 or host_ipc = 1 or host_network = 1;List policies which allows a pod to be privileged
Explore which pod security policies permit a pod to have privileged status. This can be useful for understanding potential security risks and ensuring compliance with best practice guidelines.
select namefrom kubernetes_pod_security_policywhere privileged;select namefrom kubernetes_pod_security_policywhere privileged = 1;List manifest resources
Explore which Kubernetes pod security policies have a defined path. This can be useful to identify potential security risks and ensure best practices are being followed.
select name, allow_privilege_escalation, default_allow_privilege_escalation, host_network, host_ports, host_pid, host_ipc, privileged, read_only_root_filesystem, allowed_csi_drivers, allowed_host_paths, pathfrom kubernetes_pod_security_policywhere path is not nullorder by name;select name, allow_privilege_escalation, default_allow_privilege_escalation, host_network, host_ports, host_pid, host_ipc, privileged, read_only_root_filesystem, allowed_csi_drivers, allowed_host_paths, pathfrom kubernetes_pod_security_policywhere path is not nullorder by name;Query examples
Control examples
- 5.2.1 Minimize the admission of privileged containers
- 5.2.2 Minimize the admission of containers wishing to share the host process ID namespace
- 5.2.3 Minimize the admission of containers wishing to share the host IPC namespace
- 5.2.4 Minimize the admission of containers wishing to share the host network namespace
- 5.2.5 Minimize the admission of containers with allowPrivilegeEscalation
- 5.2.6 Minimize the admission of root containers
- Containerized applications should use security services such as SELinux or AppArmor or Seccomp
- Minimize the admission of containers wishing to share the host IPC namespace
- Minimize the admission of containers wishing to share the host process ID namespace
- Pod Security Policy should force containers to run with read-only root file system
- Pod Security Policy should prohibit containers from running as root
- Pod Security Policy should prohibit containers from sharing the host process namespaces
- Pod Security Policy should prohibit containers to run with privilege access
- Pod Security Policy should prohibit host network access
- Pod Security Policy should prohibit hostPaths volumes
- Pod Security Policy should prohibit privilege escalation
- Seccomp profile is set to docker/default in Pod security policy
Schema for kubernetes_pod_security_policy
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| allow_privilege_escalation | boolean | Determines if a pod can request to allow privilege escalation. If unspecified, defaults to true. | |
| allowed_csi_drivers | jsonb | An allowlist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. | |
| allowed_flex_volumes | jsonb | An allowlist of Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. | |
| allowed_host_paths | jsonb | An allowlist of host paths. Empty indicates that all host paths may be used. | |
| allowed_proc_mount_types | jsonb | An allowlist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. | |
| allowed_unsafe_sysctls | jsonb | List of explicitly allowed unsafe sysctls, defaults to none. | |
| annotations | jsonb | Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. | |
| context_name | text | Kubectl config context name. | |
| creation_timestamp | timestamp with time zone | CreationTimestamp is a timestamp representing the server time when this object was created. | |
| default_add_capabilities | jsonb | List of the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. | |
| default_allow_privilege_escalation | boolean | Controls the default setting for whether a process can gain more privileges than its parent process. | |
| deletion_grace_period_seconds | bigint | Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. | |
| deletion_timestamp | timestamp with time zone | DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. | |
| end_line | bigint | The path to the manifest file. | |
| finalizers | jsonb | Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. | |
| forbidden_sysctls | jsonb | List of explicitly forbidden sysctls, defaults to none. | |
| fs_group | jsonb | The strategy that will dictate what fs group is used by the SecurityContext. | |
| generate_name | text | GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. | |
| generation | bigint | A sequence number representing a specific generation of the desired state. | |
| host_ipc | boolean | Determines if the policy allows the use of HostIPC in the pod spec. | |
| host_network | boolean | Determines if the policy allows the use of HostNetwork in the pod spec. | |
| host_pid | boolean | Determines if the policy allows the use of HostPID in the pod spec. | |
| host_ports | jsonb | Determines which host port ranges are allowed to be exposed. | |
| labels | jsonb | Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. | |
| name | text | Name of the object. Name must be unique within a namespace. | |
| owner_references | jsonb | List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller. | |
| path | text | The path to the manifest file. | |
| privileged | boolean | privileged determines if a pod can request to be run as privileged. | |
| read_only_root_filesystem | boolean | If set to true will force containers to run with a read only root file system. If set to false the container may run with a read only root file system if it wishes but it will not be forced to. | |
| required_drop_capabilities | jsonb | List of the capabilities that will be dropped from the container. These are required to be dropped and cannot be added. | |
| resource_version | text | An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. | |
| run_as_group | jsonb | The strategy that will dictate the allowable RunAsGroup values that may be set. | |
| run_as_user | jsonb | The strategy that will dictate the allowable RunAsUser values that may be set. | |
| runtime_class | jsonb | The strategy that will dictate the allowable RuntimeClasses for a pod. | |
| se_linux | jsonb | The strategy that will dictate the allowable labels that may be set. | |
| source_type | text | The source of the resource. Possible values are: deployed and manifest. If the resource is fetched from the spec file the value will be manifest. | |
| start_line | bigint | The path to the manifest file. | |
| supplemental_groups | jsonb | The strategy that will dictate what supplemental groups are used by the SecurityContext. | |
| tags | jsonb | A map of tags for the resource. This includes both labels and annotations. | |
| title | text | Title of the resource. | |
| uid | text | UID is the unique in time and space value for this object. | |
| volumes | jsonb | An allowlist of volume plugins. Empty indicates that no volumes may be used. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- kubernetesYou can pass the configuration to the command with the --config argument:
steampipe_export_kubernetes --config '<your_config>' kubernetes_pod_security_policy