laurobmb · August 27, 2025 17:34
diff --git a/search_privileged_pod.yml b/search_privileged_pod.yml
 ---
 - name: Buscar por pods com acesso privilegiado
  hosts: localhost
  gather_facts: false

  tasks:
    - name: Obter todos os pods de todos os namespaces
      kubernetes.core.k8s_info:
        api_version: v1
        kind: Pod
 #        namespace: privileged-test
      register: all_pods_info

 #    - name: Listar containers privilegiados
 #      ansible.builtin.debug:
 #        var: item.spec.containers
 #      loop: "{{ all_pods_info.resources }}"

    - name: Listar containers privilegiados
      ansible.builtin.debug:
        msg: |
          ⚠️ Pod privilegiado encontrado:
          Pod: {{ item.0.metadata.name }}
          Namespace: {{ item.0.metadata.namespace }}
          Container: {{ item.1.name }}
          Privileged: {{ item.1.securityContext.privileged | default(false) }}
      loop: >
        {{ all_pods_info.resources | subelements('spec.containers', skip_missing=True)
        + all_pods_info.resources | subelements('spec.initContainers', skip_missing=True) }}
      loop_control:
        label: "{{ item.0.metadata.namespace }}/{{ item.0.metadata.name }} -> {{ item.1.name }}"
      when: item.1.securityContext is defined
            and (item.1.securityContext.privileged | default(false) | bool)

    - name: Gerar documento AsciiDoc com pods privilegiados
      vars:
        asciidoc_content: |
          = Relatório de Pods Privilegiados
          :toc:
          :doctype: article
          :icons: font
          :sectnums:

          == Pods Privilegiados

          [cols="3,3,2", options="header"]
          |===
          |Namespace |Pod |Container

          {% for pod, container in all_pods_info.resources | subelements('spec.containers', skip_missing=True) +
                                all_pods_info.resources | subelements('spec.initContainers', skip_missing=True) %}
          {% if container.securityContext is defined and container.securityContext.privileged | default(false) | bool %}
          |{{ pod.metadata.namespace }} |{{ pod.metadata.name }} |{{ container.name }}
          {% endif %}
          {% endfor %}
          |===
      ansible.builtin.copy:
        content: "{{ asciidoc_content }}"
        dest: "/tmp/pods_privilegiados.adoc"
        mode: '0644'
        owner: root
        group: root
	---
	- name: Buscar por pods com acesso privilegiado
	hosts: localhost
	gather_facts: false

	tasks:
	- name: Obter todos os pods de todos os namespaces
	kubernetes.core.k8s_info:
	api_version: v1
	kind: Pod
	# namespace: privileged-test
	register: all_pods_info

	# - name: Listar containers privilegiados
	# ansible.builtin.debug:
	# var: item.spec.containers
	# loop: "{{ all_pods_info.resources }}"

	- name: Listar containers privilegiados
	ansible.builtin.debug:
	msg: \|
	⚠️ Pod privilegiado encontrado:
	Pod: {{ item.0.metadata.name }}
	Namespace: {{ item.0.metadata.namespace }}
	Container: {{ item.1.name }}
	Privileged: {{ item.1.securityContext.privileged \| default(false) }}
	loop: >
	{{ all_pods_info.resources \| subelements('spec.containers', skip_missing=True)
	+ all_pods_info.resources \| subelements('spec.initContainers', skip_missing=True) }}
	loop_control:
	label: "{{ item.0.metadata.namespace }}/{{ item.0.metadata.name }} -> {{ item.1.name }}"
	when: item.1.securityContext is defined
	and (item.1.securityContext.privileged \| default(false) \| bool)

	- name: Gerar documento AsciiDoc com pods privilegiados
	vars:
	asciidoc_content: \|
	= Relatório de Pods Privilegiados
	:toc:
	:doctype: article
	:icons: font
	:sectnums:

	== Pods Privilegiados

	[cols="3,3,2", options="header"]
	\|===
	\|Namespace \|Pod \|Container

	{% for pod, container in all_pods_info.resources \| subelements('spec.containers', skip_missing=True) +
	all_pods_info.resources \| subelements('spec.initContainers', skip_missing=True) %}
	{% if container.securityContext is defined and container.securityContext.privileged \| default(false) \| bool %}
	\|{{ pod.metadata.namespace }} \|{{ pod.metadata.name }} \|{{ container.name }}
	{% endif %}
	{% endfor %}
	\|===
	ansible.builtin.copy:
	content: "{{ asciidoc_content }}"
	dest: "/tmp/pods_privilegiados.adoc"
	mode: '0644'
	owner: root
	group: root
No results found