Table: kubernetes_pod_template - Query Kubernetes Pod Templates using SQL

A Kubernetes Pod Template is a pod specification which produces the same pod each time it is instantiated. It is used to create a pod directly, or it is nested inside replication controllers, jobs, replicasets, etc. A Pod Template in a workload object must have a Labels field and it must match the selector of its controlling workload object.

Table Usage Guide

The kubernetes_pod_template table provides insights into pod templates within Kubernetes. As a Kubernetes administrator, you can explore pod template-specific details through this table, including metadata, specifications, and status. Utilize it to uncover information about pod templates, such as those with specific labels, the replication controllers they are nested in, and the status of each pod template.

Examples

Basic info

Discover the segments that show the age of pod templates in your Kubernetes environment, along with the count of various container types. This can help in managing resources and understanding the capacity usage within your system.

select
  name,
  namespace,
  age(current_timestamp, creation_timestamp),
  template -> 'spec' ->> 'node_name' as pod_node_name,
  jsonb_array_length(template -> 'spec' -> 'containers') as container_count,
  jsonb_array_length(template -> 'spec' -> 'pod_init_containers') as init_container_count,
  jsonb_array_length(template -> 'spec' -> 'pod_ephemeral_containers') as ephemeral_container_count
from
  kubernetes_pod_template
order by
  namespace,
  name;

select
  name,
  namespace,
  julianday('now') - julianday(creation_timestamp) as age,
  json_extract(template, '$.spec.node_name') as pod_node_name,
  json_array_length(json_extract(template, '$.spec.containers')) as container_count,
  json_array_length(
    json_extract(template, '$.spec.pod_init_containers')
  ) as init_container_count,
  json_array_length(
    json_extract(template, '$.spec.pod_ephemeral_containers')
  ) as ephemeral_container_count
from
  kubernetes_pod_template
order by
  namespace,
  name;

List pod templates with privileged pod containers

Uncover the details of your system's pod templates which contain privileged pod containers. This allows you to assess the security implications and manage the risk associated with these privileged containers.

select
  name,
  namespace,
  template -> 'metadata' ->> 'name' as pod_name,
  c ->> 'name' as container_name,
  c ->> 'image' as container_image
from
  kubernetes_pod_template,
  jsonb_array_elements(template -> 'spec' -> 'containers') as c
where
  c -> 'securityContext' ->> 'privileged' = 'true';

select
  name,
  namespace,
  json_extract(template, '$.metadata.name') as pod_name,
  json_extract(c.value, '$.name') as container_name,
  json_extract(c.value, '$.image') as container_image
from
  kubernetes_pod_template,
  json_each(json_extract(template, '$.spec.containers')) as c
where
  json_extract(c.value, '$.securityContext.privileged') = 'true';

List pod templates with pod access to the host process ID, IPC, or network namespace

Explore which pod templates have access to the host process ID, IPC, or network namespace. This is useful for identifying potential security risks and ensuring appropriate access control in a Kubernetes environment.

select
  name,
  namespace,
  template -> 'metadata' ->> 'name' as pod_name,
  template -> 'spec' -> 'host_pid' as pod_host_pid,
  template -> 'spec' -> 'host_ipc' as pod_host_ipc,
  template -> 'spec' -> 'host_network' as pod_host_network
from
  kubernetes_pod_template
where
  (template -> 'spec' -> 'host_pid') :: boolean
  or (template -> 'spec' -> 'host_ipc') :: boolean
  or (template -> 'spec' -> 'host_network') :: boolean;

select
  name,
  namespace,
  json_extract(template, '$.metadata.name') as pod_name,
  json_extract(template, '$.spec.host_pid') as pod_host_pid,
  json_extract(template, '$.spec.host_ipc') as pod_host_ipc,
  json_extract(template, '$.spec.host_network') as pod_host_network
from
  kubernetes_pod_template
where
  json_extract(template, '$.spec.host_pid') = 1
  or json_extract(template, '$.spec.host_ipc') = 1
  or json_extract(template, '$.spec.host_network') = 1;

`kubectl get podtemplates` columns

Determine the areas in which Kubernetes pod templates are deployed. This query helps in identifying the containers and images used, along with the associated pod labels, providing a comprehensive summary of your Kubernetes deployment.

select
  name,
  coalesce(uid, concat(path, ':', start_line)) as uid,
  array_agg(c ->> 'name') as containers,
  array_agg(c ->> 'image') as images,
  template -> 'metadata' -> 'labels' as pod_labels
from
  kubernetes_pod_template,
  jsonb_array_elements(template -> 'spec' -> 'containers') as c
where
  source_type = 'deployed'
group by
  name,
  uid,
  path,
  start_line,
  template;

select
  name,
  coalesce(uid, path || ':' || start_line) as uid,
  group_concat(json_extract(c.value, '$.name')) as containers,
  group_concat(json_extract(c.value, '$.image')) as images,
  json_extract(template, '$.metadata.labels') as pod_labels
from
  kubernetes_pod_template,
  json_each(json_extract(template, '$.spec.containers')) as c
where
  source_type = 'deployed'
group by
  name,
  uid,
  path,
  start_line,
  template;

List pod templates that have a container with profiling argument set to false

Determine the areas in which pod templates contain a container with a disabled profiling argument. This is useful for ensuring optimal performance and security within your Kubernetes environment.

select
  name as pod_template_name,
  namespace,
  template -> 'metadata' ->> 'name' as pod_name,
  c ->> 'name' as pod_container_name,
  c ->> 'image' as pod_container_image
from
  kubernetes_pod_template,
  jsonb_array_elements(template -> 'spec' -> 'containers') as c
where
  (c -> 'command') @ > '["kube-scheduler"]'
  and (c -> 'command') @ > '["--profiling=false"]';

Error: The corresponding SQLite query is unavailable.

List manifest pod template resources

This query allows you to analyze the resources of manifest pod templates in a Kubernetes cluster. It's particularly useful for gaining insights into the containers, images, and pod labels associated with each pod template, helping to enhance management and optimization of the cluster.

select
  name,
  coalesce(uid, concat(path, ':', start_line)) as uid,
  array_agg(c ->> 'name') as containers,
  array_agg(c ->> 'image') as images,
  template -> 'metadata' -> 'labels' as pod_labels
from
  kubernetes_pod_template,
  jsonb_array_elements(template -> 'spec' -> 'containers') as c
where
  path is not null
group by
  name,
  uid,
  path,
  start_line,
  template;

select
  name,
  coalesce(uid, path || ':' || start_line) as uid,
  group_concat(json_extract(c.value, '$.name')) as containers,
  group_concat(json_extract(c.value, '$.image')) as images,
  json_extract(template, '$.metadata.labels') as pod_labels
from
  kubernetes_pod_template,
  json_each(json_extract(template, '$.spec.containers')) as c
where
  path is not null
group by
  name,
  uid,
  path,
  start_line,
  template;

Control examples

Schema for kubernetes_pod_template

Name	Type	Description
_ctx	jsonb	Steampipe context in JSON form, e.g. connection_name.
annotations	jsonb	Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata.
context_name	text	Kubectl config context name.
creation_timestamp	timestamp with time zone	CreationTimestamp is a timestamp representing the server time when this object was created.
deletion_grace_period_seconds	bigint	Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set.
deletion_timestamp	timestamp with time zone	DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted.
end_line	bigint	The path to the manifest file.
finalizers	jsonb	Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed.
generate_name	text	GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided.
generation	bigint	A sequence number representing a specific generation of the desired state.
labels	jsonb	Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services.
name	text	Name of the object. Name must be unique within a namespace.
namespace	text	Namespace defines the space within which each name must be unique.
owner_references	jsonb	List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.
path	text	The path to the manifest file.
resource_version	text	An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed.
source_type	text	The source of the resource. Possible values are: deployed and manifest. If the resource is fetched from the spec file the value will be manifest.
start_line	bigint	The path to the manifest file.
tags	jsonb	A map of tags for the resource. This includes both labels and annotations.
template	jsonb	Template describes the pods that will be created.
title	text	Title of the resource.
uid	text	UID is the unique in time and space value for this object.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- kubernetes

You can pass the configuration to the command with the --config argument:

steampipe_export_kubernetes --config '<your_config>' kubernetes_pod_template