/
ingress.sp
79 lines (76 loc) · 2.48 KB
/
ingress.sp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
query "ingress_default_namespace_used" {
sql = <<-EOQ
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when namespace = 'default' then 'alarm'
else 'ok'
end as status,
case
when namespace = 'default' then name || ' uses default namespace.'
else name || ' not using the default namespace.'
end as reason,
name as ingress_name
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
kubernetes_ingress;
EOQ
}
query "ingress_nginx_annotations_snippets_alias_not_used" {
sql = <<-EOQ
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case when a.key like '%snippet%' and a.value like '%alias%' then 'alarm'
else 'ok'
end as status,
case
when a.key like '%snippet%' and a.value like '%alias%' then a.key || ' annotation snippet contains alias statements.'
else a.key || ' annotation snippet not containing alias statements.'
end as reason,
name as ingress_name
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
kubernetes_ingress,
jsonb_each_text(annotations) as a;
EOQ
}
query "ingress_nginx_annotations_all_snippets_not_used" {
sql = <<-EOQ
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case when a.key like '%snippet%' then 'alarm'
else 'ok'
end as status,
case
when a.key like '%snippet%' then a.key || ' annotation snippet used.'
else a.key || ' annotation snippet not used.'
end as reason,
name as ingress_name
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
kubernetes_ingress,
jsonb_each_text(annotations) as a;
EOQ
}
query "ingress_nginx_annotations_snippets_lua_code_not_used" {
sql = <<-EOQ
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case when a.key like '%snippet%' and a.value ~ '(lua_|_lua|_lua_|kubernetes\.io)' then 'alarm'
else 'ok'
end as status,
case
when a.key like '%snippet%' and a.value ~ '(lua_|_lua|_lua_|kubernetes\.io)' then a.key || ' annotation snippet contains lua code execution.'
else a.key || ' annotation snippet does not contain lua code execution.'
end as reason,
name as ingress_name
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
kubernetes_ingress,
jsonb_each_text(annotations) as a;
EOQ
}