turbot/kubernetes

steampipe plugin install kubernetessteampipe plugin install kubernetes

Table: kubernetes_pod_security_policy

Pod Security Policies enable fine-grained authorization of pod creation and updates. A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification

Examples

Basic Info

select
name,
allow_privilege_escalation,
default_allow_privilege_escalation,
host_network,
host_ports,
host_pid,
host_ipc,
privileged,
read_only_root_filesystem,
allowed_csi_drivers,
allowed_host_paths
from
kubernetes_pod_security_policy
order by
name;

List policies which allows access to the host process ID, IPC, or network namespace

select
name,
host_pid,
host_ipc,
host_network
from
kubernetes_pod_security_policy
where
host_pid or host_ipc or host_network;

List policies which allows a pod to be privileged

select
name
from
kubernetes_pod_security_policy
where
privileged;

.inspect kubernetes_pod_security_policy

A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.

NameTypeDescription
allow_privilege_escalationbooleanDetermines if a pod can request to allow privilege escalation. If unspecified, defaults to true.
allowed_csi_driversjsonbAn allowlist of inline CSI drivers that must be explicitly set to be embedded within a pod spec.
allowed_flex_volumesjsonbAn allowlist of Flexvolumes. Empty or nil indicates that all Flexvolumes may be used.
allowed_host_pathsjsonbAn allowlist of host paths. Empty indicates that all host paths may be used.
allowed_proc_mount_typesjsonbAn allowlist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used.
allowed_unsafe_sysctlsjsonbList of explicitly allowed unsafe sysctls, defaults to none.
annotationsjsonbAnnotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata.
context_nametextKubectl config context name.
creation_timestamptimestamp without time zoneCreationTimestamp is a timestamp representing the server time when this object was created.
default_add_capabilitiesjsonbList of the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability.
default_allow_privilege_escalationbooleanControls the default setting for whether a process can gain more privileges than its parent process.
deletion_grace_period_secondsbigintNumber of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set.
deletion_timestamptimestamp without time zoneDeletionTimestamp is RFC 3339 date and time at which this resource will be deleted.
finalizersjsonbMust be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed.
forbidden_sysctlsjsonbList of explicitly forbidden sysctls, defaults to none.
fs_groupjsonbThe strategy that will dictate what fs group is used by the SecurityContext.
generate_nametextGenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided.
generationbigintA sequence number representing a specific generation of the desired state.
host_ipcbooleanDetermines if the policy allows the use of HostIPC in the pod spec.
host_networkbooleanDetermines if the policy allows the use of HostNetwork in the pod spec.
host_pidbooleanDetermines if the policy allows the use of HostPID in the pod spec.
host_portsjsonbDetermines which host port ranges are allowed to be exposed.
labelsjsonbMap of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services.
nametextName of the object. Name must be unique within a namespace.
owner_referencesjsonbList of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.
privilegedbooleanprivileged determines if a pod can request to be run as privileged.
read_only_root_filesystembooleanIf set to true will force containers to run with a read only root file system. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.
required_drop_capabilitiesjsonbList of the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.
resource_versiontextAn opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed.
run_as_groupjsonbThe strategy that will dictate the allowable RunAsGroup values that may be set.
run_as_userjsonbThe strategy that will dictate the allowable RunAsUser values that may be set.
runtime_classjsonbThe strategy that will dictate the allowable RuntimeClasses for a pod.
se_linuxjsonbThe strategy that will dictate the allowable labels that may be set.
supplemental_groupsjsonbThe strategy that will dictate what supplemental groups are used by the SecurityContext.
tagsjsonbA map of tags for the resource. This includes both labels and annotations.
titletextTitle of the resource.
uidtextUID is the unique in time and space value for this object.
volumesjsonbAn allowlist of volume plugins. Empty indicates that no volumes may be used.