Mondoo Inc
-
|
I have a query that isn't behaving in a way I would expect. Given a Pod that looks like: apiVersion: v1
kind: Pod
metadata:
name: joel-test
namespace: default
spec:
containers:
- command:
- sleep
- "3600000"
image: quay.io/fedora/fedora:latest
name: fedora
securityContext:
capabilities:
drop: ["ALL"]
- command:
- sleep
- "3600000"
image: quay.io/fedora/fedora:latest
name: fedora2I would expect that the following query would pass since neither container in the Pod specification have anything specified under .securityContext.capabilities.add: k8s.pod {
podSpec['containers'] {
_['securityContext']['capabilities'] {
_['add'] == null || _['add'].none(_.upcase == "ALL")
}
}
}This passes the first container (named 'fedora'), but fails the second one (named 'fedora2'). I ended up writing an alternative query that does pass: k8s.pod {
podSpec['containers'] {
if( _['securityContext']['capabilities'] != null ) {
_['securityContext']['capabilities'] {
_['add'] == null || _['add'].none(_.upcase == "ALL")
}
} else {
true
}
}
}This felt a bit verbose (especially that |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Great question! I'd like to reduce the amount of Here is an updated version of the query: It depends on the newly merged handling for
|
Beta Was this translation helpful? Give feedback.
-
|
Yeah, that looks great. cnquery> k8s.pod.podSpec['containers'].none(_['securityContext']['capabilities']['add'].contains(_.upcase == 'ALL' || _.upcase == 'SYS_ADMIN'))
[ok] value: true |
Beta Was this translation helpful? Give feedback.
Great question! I'd like to reduce the amount of
ifstatements as much as possible, because conditionals are a bit harder to process (and aggregate data for). This also implies we don't really need theelsestatements.Here is an updated version of the query:
It depends on the newly merged handling for
containsand roughly reads as:allorsys_admin