We just raised $3.5M and we are hiring!

Kubernetes Policies

With Kubernetes Policies, you can use CloudQuery to automatically check compliance and security of Kubernetes Cluster. Supports NSA and CISA Kubernetes Hardening Guidance v1.0

$ cloudquery policy run k8s
Category
compliance
Version
v0.1.2
License
"MPL-2.0"
License
"MPL-2.0"

queries_network_hardening_daemonset_cpu_limit.sql

queries_network_hardening_daemonset_cpu_request.sql

queries_network_hardening_daemonset_memory_limit.sql

queries_network_hardening_daemonset_memory_request.sql

queries_network_hardening_deployment_cpu_limit.sql

queries_network_hardening_deployment_cpu_request.sql

queries_network_hardening_deployment_memory_limit.sql

queries_network_hardening_deployment_memory_request.sql

queries_network_hardening_endpoint_api_serve_on_secure_port.sql

queries_network_hardening_job_cpu_limit.sql

queries_network_hardening_job_cpu_request.sql

queries_network_hardening_job_memory_limit.sql

queries_network_hardening_job_memory_request.sql

queries_network_hardening_namespace_limit_range_default_cpu_limit.sql

queries_network_hardening_namespace_limit_range_default_cpu_request.sql

queries_network_hardening_namespace_limit_range_default_memory_limit.sql

queries_network_hardening_namespace_limit_range_default_memory_request.sql

queries_network_hardening_namespace_resource_quota_cpu_limit.sql

queries_network_hardening_namespace_resource_quota_cpu_request.sql

queries_network_hardening_namespace_resource_quota_memory_limit.sql

queries_network_hardening_namespace_resource_quota_memory_request.sql

queries_network_hardening_network_policy_default_deny_egress.sql

queries_network_hardening_network_policy_default_deny_ingress.sql

queries_network_hardening_network_policy_default_dont_allow_egress.sql

queries_network_hardening_network_policy_default_dont_allow_ingress.sql

queries_network_hardening_replicaset_cpu_limit.sql

queries_network_hardening_replicaset_cpu_request.sql

queries_network_hardening_replicaset_memory_limit.sql

queries_network_hardening_replicaset_memory_request.sql

queries_pod_security_daemonset_container_privilege_disabled.sql

queries_pod_security_daemonset_container_privilege_escalation_disabled.sql

queries_pod_security_daemonset_host_network_access_disabled.sql

queries_pod_security_daemonset_hostpid_hostipc_sharing_disabled.sql

queries_pod_security_daemonset_immutable_container_filesystem.sql

queries_pod_security_daemonset_non_root_container.sql

queries_pod_security_deployment_container_privilege_disabled.sql

queries_pod_security_deployment_container_privilege_escalation_disabled.sql

queries_pod_security_deployment_host_network_access_disabled.sql

queries_pod_security_deployment_hostpid_hostipc_sharing_disabled.sql

queries_pod_security_deployment_immutable_container_filesystem.sql

queries_pod_security_deployment_non_root_container.sql

queries_pod_security_job_container_privilege_disabled.sql

queries_pod_security_job_container_privilege_escalation_disabled.sql

queries_pod_security_job_host_network_access_disabled.sql

queries_pod_security_job_hostpid_hostipc_sharing_disabled.sql

queries_pod_security_job_immutable_container_filesystem.sql

queries_pod_security_job_non_root_container.sql

queries_pod_security_pod_container_privilege_disabled.sql

queries_pod_security_pod_container_privilege_escalation_disabled.sql

queries_pod_security_pod_host_network_access_disabled.sql

queries_pod_security_pod_hostpid_hostipc_sharing_disabled.sql

queries_pod_security_pod_immutable_container_filesystem.sql

queries_pod_security_pod_non_root_container.sql

queries_pod_security_pod_service_account_token_disabled.sql

queries_pod_security_pod_volume_host_path.sql

queries_pod_security_replicaset_container_privilege_disabled.sql

queries_pod_security_replicaset_container_privilege_escalation_disabled.sql

queries_pod_security_replicaset_host_network_access_disabled.sql

queries_pod_security_replicaset_hostpid_hostipc_sharing_disabled.sql

queries_pod_security_replicaset_immutable_container_filesystem.sql

queries_pod_security_replicaset_non_root_container.sql

queries_pod_security_service_account_token_disabled.sql

Query

SELECT uid, name AS pod_name, namespace, context FROM k8s_apps_daemon_sets, JSONB_ARRAY_ELEMENTS(template -> 'spec' -> 'containers') AS c WHERE c -> 'resources' -> 'limits' ->> 'cpu' IS NULL;