Add ip[6]tables support for Pod Identity feature

Pod Identity introduced back at Dec 28, 2023 - https://aws.amazon.com/blogs/containers/amazon-eks-pod-identity-a-new-way-for-applications-on-eks-to-obtain-iam-credentials/ According to public documentation, Pod Identity uses the hostNetwork of the node and it uses port `80` and port `2703` on a link-local address on the node. This address is 169.254.170.23 for IPv4 and [fd00:ec2::23] for IPv6 clusters, - https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html#pod-id-considerations - https://docs.aws.amazon.com/eks/latest/userguide/pod-id-agent-setup.html Adding it into default iptables/ip6tables would be required.
aws-samples · Dec 16, 2024 · a2995cc · a2995cc
1 parent 6bd434c
commit a2995cc
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 3 deletions.
diff --git a/cis-bottlerocket-benchmark-eks/bottlerocket-cis-bootstrap-image/bootstrap-script.sh b/cis-bottlerocket-benchmark-eks/bottlerocket-cis-bootstrap-image/bootstrap-script.sh
@@ -8,9 +8,13 @@ iptables -P INPUT DROP
 iptables -P OUTPUT DROP
 iptables -P FORWARD DROP
 
-# Allow inbound traffic for kubelet (so kubectl logs/exec works)
+# 3.4.1.1.1 Allow inbound traffic for kubelet (so kubectl logs/exec works)
 iptables -I INPUT -p tcp -m tcp --dport 10250 -j ACCEPT
 
+# 3.4.1.1.2 Allow inbound traffic to communicate with Pod Identity
+iptables -I INPUT -d 169.254.170.23/32 -p tcp -m tcp --dport 80 -m comment --comment "Allow communicate with Pod Identity" -j ACCEPT
+iptables -I INPUT -d 169.254.170.23/32 -p tcp -m tcp --dport 2703 -m comment --comment "Allow communicate with Pod Identity" -j ACCEPT
+
 # 3.4.1.2 Ensure IPv4 loopback traffic is configured (Automated)
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT
@@ -32,9 +36,13 @@ ip6tables -P INPUT DROP
 ip6tables -P OUTPUT DROP
 ip6tables -P FORWARD DROP
 
-# Allow inbound traffic for kubelet on ipv6 if needed (so kubectl logs/exec works)
+# 3.4.2.1.1 Allow inbound traffic for kubelet on ipv6 if needed (so kubectl logs/exec works)
 ip6tables -A INPUT -p tcp --destination-port 10250 -j ACCEPT
 
+# 3.4.2.1.2 Allow inbound traffic to communicate with Pod Identity
+ip6tables -I INPUT -d fd00:ec2::23/128 -p tcp -m tcp --dport 80 -m comment --comment "Allow communicate with Pod Identity" -j ACCEPT
+ip6tables -I INPUT -d fd00:ec2::23/128 -p tcp -m tcp --dport 2703 -m comment --comment "Allow communicate with Pod Identity" -j ACCEPT
+
 # 3.4.2.2 Ensure IPv6 loopback traffic is configured (Automated)
 ip6tables -A INPUT -i lo -j ACCEPT
 ip6tables -A OUTPUT -o lo -j ACCEPT

diff --git a/cis-bottlerocket-benchmark-eks/bottlerocket-cis-validating-image/validating-script.sh b/cis-bottlerocket-benchmark-eks/bottlerocket-cis-validating-image/validating-script.sh
@@ -8,7 +8,7 @@ echo "This tool validates the Amazon EKS optimized AMI against CIS Bottlerocket
 
 
 Num_Of_Checks_Passed=0
-Total_Num_Of_Checks=26
+Total_Num_Of_Checks=30
 
 function checkSysctlConfig()
 {
@@ -285,6 +285,33 @@ else
     echo "Error Message: inputChain=$inputChain ForwardChain=$ForwardChain OutputChain=$OutputChain"
 fi
 
+RECOMMENDATION="3.4.1.1.1 Allow inbound traffic for kubelet"
+InputKubeletAccept=$(iptables -L INPUT -v -n | grep "ACCEPT" | grep "dpt:10250")
+if [[ ! -z "$InputKubeletAccept" ]];
+then
+    echo "[PASS] $RECOMMENDATION"
+    Num_Of_Checks_Passed=$((Num_Of_Checks_Passed+1))
+else
+    echo "[FAIL] $RECOMMENDATION"
+    echo "Error Message: Rule for allowing inbound traffic for kubelet not found"
+fi
+#echo $InputKubeletAccept
+
+
+RECOMMENDATION="3.4.1.1.2 Allow inbound traffic to communicate with Pod Identity"
+InputPodIdentityAccept1=$(iptables -L INPUT -v -n | grep "ACCEPT" | grep "169.254.170.23/32" | grep "dpt:80")
+InputPodIdentityAccept2=$(iptables -L INPUT -v -n | grep "ACCEPT" | grep "169.254.170.23/32" | grep "dpt:2703")
+if [[ ! -z "$InputPodIdentityAccept1" ]] && [[ ! -z "$InputPodIdentityAccept2" ]];
+then
+    echo "[PASS] $RECOMMENDATION"
+    Num_Of_Checks_Passed=$((Num_Of_Checks_Passed+1))
+else
+    echo "[FAIL] $RECOMMENDATION"
+    echo "Error Message: Rule for allowing inbound traffic for Pod Identity not found"
+fi
+#echo $InputPodIdentityAccept
+
+
 RECOMMENDATION="3.4.1.2 Ensure IPv4 loopback traffic is configured (Automated)"
 InputAccept=$(iptables -L INPUT -v -n | grep "ACCEPT     all" | awk '{print $8}')
 if [[ -z "$InputAccept" ]];
@@ -396,6 +423,33 @@ else
 fi
 
 
+RECOMMENDATION="3.4.2.1.1 Allow inbound traffic for kubelet"
+InputKubeletAccept=$(ip6tables -L INPUT -v -n | grep "ACCEPT" | grep "dpt:10250")
+if [[ ! -z "$InputKubeletAccept" ]];
+then
+    echo "[PASS] $RECOMMENDATION"
+    Num_Of_Checks_Passed=$((Num_Of_Checks_Passed+1))
+else
+    echo "[FAIL] $RECOMMENDATION"
+    echo "Error Message: Rule for allowing inbound traffic for kubelet not found"
+fi
+#echo $InputKubeletAccept
+
+
+RECOMMENDATION="3.4.2.1.2 Allow inbound traffic to communicate with Pod Identity"
+InputPodIdentityAccept1=$(ip6tables -L INPUT -v -n | grep "ACCEPT" | grep "fd00:ec2::23/128" | grep "dpt:80")
+InputPodIdentityAccept2=$(ip6tables -L INPUT -v -n | grep "ACCEPT" | grep "fd00:ec2::23/128" | grep "dpt:2703")
+if [[ ! -z "$InputPodIdentityAccept1" ]] && [[ ! -z "$InputPodIdentityAccept2" ]];
+then
+    echo "[PASS] $RECOMMENDATION"
+    Num_Of_Checks_Passed=$((Num_Of_Checks_Passed+1))
+else
+    echo "[FAIL] $RECOMMENDATION"
+    echo "Error Message: Rule for allowing inbound traffic for Pod Identity not found"
+fi
+#echo $InputPodIdentityAccept
+
+
 RECOMMENDATION="3.4.2.2 Ensure IPv6 loopback traffic is configured (Automated)"
 InputAccept=$(ip6tables -L INPUT -v -n | grep "ACCEPT     all" | awk '{print $7}')
 if [[ -z "$InputAccept" ]];