Table: k8s_apps_deployments

This table shows data for Kubernetes (K8s) Apps Deployments.

The primary key for this table is uid.

Columns

NameType
_cq_iduuid
_cq_parent_iduuid
contextutf8
kindutf8
api_versionutf8
nameutf8
namespaceutf8
uid (PK)utf8
resource_versionutf8
generationint64
deletion_grace_period_secondsint64
labelsjson
annotationsjson
owner_referencesjson
finalizerslist<item: utf8, nullable>
spec_replicasint64
spec_selectorjson
spec_templatejson
spec_strategyjson
spec_min_ready_secondsint64
spec_revision_history_limitint64
spec_pausedbool
spec_progress_deadline_secondsint64
status_observed_generationint64
status_replicasint64
status_updated_replicasint64
status_ready_replicasint64
status_available_replicasint64
status_unavailable_replicasint64
status_conditionsjson
status_collision_countint64

Example Queries

These SQL queries are sampled from CloudQuery policies and are compatible with PostgreSQL.

Deployment enforces cpu limits

-- Join every row in the deployment table with its json array of containers.
WITH
  deployment_containers
    AS (
      SELECT
        uid, value AS container
      FROM
        k8s_apps_deployments
        CROSS JOIN jsonb_array_elements(spec_template->'spec'->'containers')
            AS value
    )
SELECT
  uid AS resource_id,
  'Deployment enforces cpu limits' AS title,
  context AS context,
  namespace AS namespace,
  name AS resource_name,
  CASE
  WHEN (
    SELECT
      count(*)
    FROM
      deployment_containers
    WHERE
      deployment_containers.uid = k8s_apps_deployments.uid
      AND (
          deployment_containers.container->'resources'->'limits'->>'cpu'
        ) IS NULL
  )
  > 0
  THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  k8s_apps_deployments;

Deployment enforces cpu requests

-- Join every row in the deployment table with its json array of containers.
WITH
  deployment_containers
    AS (
      SELECT
        uid, value AS container
      FROM
        k8s_apps_deployments
        CROSS JOIN jsonb_array_elements(spec_template->'spec'->'containers')
            AS value
    )
SELECT
  uid AS resource_id,
  'Deployment enforces cpu requests' AS title,
  context AS context,
  namespace AS namespace,
  name AS resource_name,
  CASE
  WHEN (
    SELECT
      count(*)
    FROM
      deployment_containers
    WHERE
      deployment_containers.uid = k8s_apps_deployments.uid
      AND (
          deployment_containers.container->'resources'->'requests'->>'cpu'
        ) IS NULL
  )
  > 0
  THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  k8s_apps_deployments;

Deployment enforces memory limits

-- Join every row in the deployment table with its json array of containers.
WITH
  deployment_containers
    AS (
      SELECT
        uid, value AS container
      FROM
        k8s_apps_deployments
        CROSS JOIN jsonb_array_elements(spec_template->'spec'->'containers')
            AS value
    )
SELECT
  uid AS resource_id,
  'Deployment enforces memory limits' AS title,
  context AS context,
  namespace AS namespace,
  name AS resource_name,
  CASE
  WHEN (
    SELECT
      count(*)
    FROM
      deployment_containers
    WHERE
      deployment_containers.uid = k8s_apps_deployments.uid
      AND (
          deployment_containers.container->'resources'->'limits'->>'memory'
        ) IS NULL
  )
  > 0
  THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  k8s_apps_deployments;

Deployment enforces memory requests

-- Join every row in the deployment table with its json array of containers.
WITH
  deployment_containers
    AS (
      SELECT
        uid, value AS container
      FROM
        k8s_apps_deployments
        CROSS JOIN jsonb_array_elements(spec_template->'spec'->'containers')
            AS value
    )
SELECT
  uid AS resource_id,
  'Deployment enforces memory requests' AS title,
  context AS context,
  namespace AS namespace,
  name AS resource_name,
  CASE
  WHEN (
    SELECT
      count(*)
    FROM
      deployment_containers
    WHERE
      deployment_containers.uid = k8s_apps_deployments.uid
      AND (
          deployment_containers.container->'resources'->'requests'->>'memory'
        ) IS NULL
  )
  > 0
  THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  k8s_apps_deployments;

Deployments privileges disabled

WITH
  deployment_containers
    AS (
      SELECT
        uid, value AS container
      FROM
        k8s_apps_deployments
        CROSS JOIN jsonb_array_elements(spec_template->'spec'->'containers')
            AS value
    )
SELECT
  uid AS resource_id,
  'Deployments privileges disabled' AS title,
  context AS context,
  namespace AS namespace,
  name AS resource_name,
  CASE
  WHEN (
    SELECT
      count(*)
    FROM
      deployment_containers
    WHERE
      deployment_containers.uid = k8s_apps_deployments.uid
      AND deployment_containers.container->'securityContext'->>'privileged'
        = 'true'
  )
  > 0
  THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  k8s_apps_deployments;

Deployments privilege escalation disabled

WITH
  deployment_containers
    AS (
      SELECT
        uid, value AS container
      FROM
        k8s_apps_deployments
        CROSS JOIN jsonb_array_elements(spec_template->'spec'->'containers')
            AS value
    )
SELECT
  uid AS resource_id,
  'Deployments privilege escalation disabled' AS title,
  context AS context,
  namespace AS namespace,
  name AS resource_name,
  CASE
  WHEN (
    SELECT
      count(*)
    FROM
      deployment_containers
    WHERE
      deployment_containers.uid = k8s_apps_deployments.uid
      AND deployment_containers.container->'securityContext'->>'allowPrivilegeEscalation'
        = 'true'
  )
  > 0
  THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  k8s_apps_deployments;

Deployments container hostNetwork disabled

SELECT
  uid AS resource_id,
  'Deployments container hostNetwork disabled' AS title,
  context AS context,
  namespace AS namespace,
  name AS resource_name,
  CASE
  WHEN spec_template->'spec'->>'hostNetwork' = 'true' THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  k8s_apps_deployments;

Deployment containers HostPID and HostIPC sharing disabled

SELECT
  uid AS resource_id,
  'Deployment containers HostPID and HostIPC sharing disabled' AS title,
  context AS context,
  namespace AS namespace,
  name AS resource_name,
  CASE
  WHEN spec_template->'spec'->>'hostPID' = 'true'
  OR spec_template->'spec'->>'hostIPC' = 'true'
  THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  k8s_apps_deployments;

Deployment containers root file system is read-only

WITH
  deployment_containers
    AS (
      SELECT
        uid, value AS container
      FROM
        k8s_apps_deployments
        CROSS JOIN jsonb_array_elements(spec_template->'spec'->'containers')
            AS value
    )
SELECT
  uid AS resource_id,
  'Deployment containers root file system is read-only' AS title,
  context AS context,
  namespace AS namespace,
  name AS resource_name,
  CASE
  WHEN (
    SELECT
      count(*)
    FROM
      deployment_containers
    WHERE
      deployment_containers.uid = k8s_apps_deployments.uid
      AND deployment_containers.container->'securityContext'->>'readOnlyRootFilesystem'
        IS DISTINCT FROM 'true'
  )
  > 0
  THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  k8s_apps_deployments;

Deployment containers to run as non-root

WITH
  deployment_containers
    AS (
      SELECT
        uid, value AS container
      FROM
        k8s_apps_deployments
        CROSS JOIN jsonb_array_elements(spec_template->'spec'->'containers')
            AS value
    )
SELECT
  uid AS resource_id,
  'Deployment containers to run as non-root' AS title,
  context AS context,
  namespace AS namespace,
  name AS resource_name,
  CASE
  WHEN (
    SELECT
      count(*)
    FROM
      deployment_containers
    WHERE
      deployment_containers.uid = k8s_apps_deployments.uid
      AND deployment_containers.container->'securityContext'->>'runAsNonRoot'
        IS DISTINCT FROM 'true'
  )
  > 0
  THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  k8s_apps_deployments;