turbot/kubernetes
steampipe plugin install kubernetes

Table: kubernetes_pod_security_policy - Query Kubernetes Pod Security Policies using SQL

A Pod Security Policy is a cluster-level resource in Kubernetes that controls security-sensitive aspects of the pod specification. It establishes the default security settings for a pod, and can include settings such as the types of volumes that a pod can mount, the use of host networking and ports, and the execution of privileged operations. By defining these policies, administrators can enforce certain security standards across all pods within a cluster.

Table Usage Guide

The kubernetes_pod_security_policy table provides insights into Pod Security Policies within a Kubernetes cluster. As a security engineer or Kubernetes administrator, explore policy-specific details through this table, including allowed and disallowed operations, volume types, and host networking configurations. Utilize it to uncover information about policies, such as those that allow privileged operations, the use of host networking, and the mounting of certain volume types.

Examples

Basic Info

Explore the security policies of your Kubernetes pods to understand how they're configured. This can help identify potential vulnerabilities and ensure that your system is robustly protected.

select
name,
allow_privilege_escalation,
default_allow_privilege_escalation,
host_network,
host_ports,
host_pid,
host_ipc,
privileged,
read_only_root_filesystem,
allowed_csi_drivers,
allowed_host_paths
from
kubernetes_pod_security_policy
order by
name;
select
name,
allow_privilege_escalation,
default_allow_privilege_escalation,
host_network,
host_ports,
host_pid,
host_ipc,
privileged,
read_only_root_filesystem,
allowed_csi_drivers,
allowed_host_paths
from
kubernetes_pod_security_policy
order by
name;

List policies which allows access to the host process ID, IPC, or network namespace

Discover the segments that have policies allowing access to the host process ID, IPC, or network namespace. This is particularly useful in identifying potential security risks within your Kubernetes pod security policies.

select
name,
host_pid,
host_ipc,
host_network
from
kubernetes_pod_security_policy
where
host_pid
or host_ipc
or host_network;
select
name,
host_pid,
host_ipc,
host_network
from
kubernetes_pod_security_policy
where
host_pid = 1
or host_ipc = 1
or host_network = 1;

List policies which allows a pod to be privileged

Explore which pod security policies permit a pod to have privileged status. This can be useful for understanding potential security risks and ensuring compliance with best practice guidelines.

select
name
from
kubernetes_pod_security_policy
where
privileged;
select
name
from
kubernetes_pod_security_policy
where
privileged = 1;

List manifest resources

Explore which Kubernetes pod security policies have a defined path. This can be useful to identify potential security risks and ensure best practices are being followed.

select
name,
allow_privilege_escalation,
default_allow_privilege_escalation,
host_network,
host_ports,
host_pid,
host_ipc,
privileged,
read_only_root_filesystem,
allowed_csi_drivers,
allowed_host_paths,
path
from
kubernetes_pod_security_policy
where
path is not null
order by
name;
select
name,
allow_privilege_escalation,
default_allow_privilege_escalation,
host_network,
host_ports,
host_pid,
host_ipc,
privileged,
read_only_root_filesystem,
allowed_csi_drivers,
allowed_host_paths,
path
from
kubernetes_pod_security_policy
where
path is not null
order by
name;

Control examples

Schema for kubernetes_pod_security_policy

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
allow_privilege_escalationbooleanDetermines if a pod can request to allow privilege escalation. If unspecified, defaults to true.
allowed_csi_driversjsonbAn allowlist of inline CSI drivers that must be explicitly set to be embedded within a pod spec.
allowed_flex_volumesjsonbAn allowlist of Flexvolumes. Empty or nil indicates that all Flexvolumes may be used.
allowed_host_pathsjsonbAn allowlist of host paths. Empty indicates that all host paths may be used.
allowed_proc_mount_typesjsonbAn allowlist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used.
allowed_unsafe_sysctlsjsonbList of explicitly allowed unsafe sysctls, defaults to none.
annotationsjsonbAnnotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata.
context_nametextKubectl config context name.
creation_timestamptimestamp with time zoneCreationTimestamp is a timestamp representing the server time when this object was created.
default_add_capabilitiesjsonbList of the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability.
default_allow_privilege_escalationbooleanControls the default setting for whether a process can gain more privileges than its parent process.
deletion_grace_period_secondsbigintNumber of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set.
deletion_timestamptimestamp with time zoneDeletionTimestamp is RFC 3339 date and time at which this resource will be deleted.
end_linebigintThe path to the manifest file.
finalizersjsonbMust be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed.
forbidden_sysctlsjsonbList of explicitly forbidden sysctls, defaults to none.
fs_groupjsonbThe strategy that will dictate what fs group is used by the SecurityContext.
generate_nametextGenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided.
generationbigintA sequence number representing a specific generation of the desired state.
host_ipcbooleanDetermines if the policy allows the use of HostIPC in the pod spec.
host_networkbooleanDetermines if the policy allows the use of HostNetwork in the pod spec.
host_pidbooleanDetermines if the policy allows the use of HostPID in the pod spec.
host_portsjsonbDetermines which host port ranges are allowed to be exposed.
labelsjsonbMap of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services.
nametextName of the object. Name must be unique within a namespace.
owner_referencesjsonbList of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.
pathtextThe path to the manifest file.
privilegedbooleanprivileged determines if a pod can request to be run as privileged.
read_only_root_filesystembooleanIf set to true will force containers to run with a read only root file system. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.
required_drop_capabilitiesjsonbList of the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.
resource_versiontextAn opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed.
run_as_groupjsonbThe strategy that will dictate the allowable RunAsGroup values that may be set.
run_as_userjsonbThe strategy that will dictate the allowable RunAsUser values that may be set.
runtime_classjsonbThe strategy that will dictate the allowable RuntimeClasses for a pod.
se_linuxjsonbThe strategy that will dictate the allowable labels that may be set.
source_typetextThe source of the resource. Possible values are: deployed and manifest. If the resource is fetched from the spec file the value will be manifest.
sp_connection_nametextSteampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
start_linebigintThe path to the manifest file.
supplemental_groupsjsonbThe strategy that will dictate what supplemental groups are used by the SecurityContext.
tagsjsonbA map of tags for the resource. This includes both labels and annotations.
titletextTitle of the resource.
uidtextUID is the unique in time and space value for this object.
volumesjsonbAn allowlist of volume plugins. Empty indicates that no volumes may be used.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- kubernetes

You can pass the configuration to the command with the --config argument:

steampipe_export_kubernetes --config '<your_config>' kubernetes_pod_security_policy