Pods privilegiados
jq -r '
.items[]
| select(
(.spec.containers[]?.securityContext.privileged == true)
or (.spec.initContainers[]?.securityContext.privileged == true)
)
| [.metadata.namespace, .metadata.name] | @tsv' pods.json
Usuario root
jq -r '
.items[]
| select(
(.spec.containers[]?.securityContext.runAsUser == 0)
or (.spec.containers[]?.securityContext.runAsNonRoot == false)
)
| [.metadata.namespace, .metadata.name] | @tsv'
Perfil Seccomp
jq -r '
.items[]
| select(
.spec.securityContext?.seccompProfile != null)
| [.metadata.namespace, .metadata.name] | @tsv'
Pods con escalada de privilegios
jq -r '
.items[]
| select(
(.spec.containers[]?.securityContext.allowPrivilegeEscalation == true)
or (.spec.initContainers[]?.securityContext.allowPrivilegeEscalation == true)
)
| [.metadata.namespace, .metadata.name] | @tsv'
Pods con capabilities añadidas
Especialmente las capabilities inseguras
jq -r '
.items[]
| select(
(.spec.containers[]?.securityContext.capabilities.add? | length > 0)
or (.spec.initContainers[]?.securityContext.capabilities.add? | length > 0)
)
| [.metadata.namespace, .metadata.name,
(.spec.containers[]?.securityContext.capabilities.add // []) | join(",")]
| @tsv'