-
Notifications
You must be signed in to change notification settings - Fork 1.4k
/
apiserver_always_pull_images_plugin.py
30 lines (28 loc) · 1.28 KB
/
apiserver_always_pull_images_plugin.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
from prowler.lib.check.models import Check, Check_Report_Kubernetes
from prowler.providers.kubernetes.services.apiserver.apiserver_client import (
apiserver_client,
)
class apiserver_always_pull_images_plugin(Check):
def execute(self) -> Check_Report_Kubernetes:
findings = []
for pod in apiserver_client.apiserver_pods:
report = Check_Report_Kubernetes(self.metadata())
report.namespace = pod.namespace
report.resource_name = pod.name
report.resource_id = pod.uid
report.status = "PASS"
report.status_extended = (
f"AlwaysPullImages admission control plugin is set in pod {pod.name}."
)
plugin_set = False
for container in pod.containers.values():
for command in container.command:
if command.startswith("--enable-admission-plugins"):
if "AlwaysPullImages" in command:
plugin_set = True
break
if not plugin_set:
report.status = "FAIL"
report.status_extended = f"AlwaysPullImages admission control plugin is not set in pod {pod.name}."
findings.append(report)
return findings