From e0406809e5399a827e651aef969fbc7286328569 Mon Sep 17 00:00:00 2001 From: guessi Date: Mon, 16 Dec 2024 12:12:03 +0800 Subject: [PATCH] Add ip[6]tables support for Pod Identity feature Pod Identity introduced back at Dec 28, 2023 - https://aws.amazon.com/blogs/containers/amazon-eks-pod-identity-a-new-way-for-applications-on-eks-to-obtain-iam-credentials/ According to public documentation, Pod Identity uses the hostNetwork of the node and it uses port `80` and port `2703` on a link-local address on the node. This address is `169.254.170.23` for IPv4 and `[fd00:ec2::23]` for IPv6 clusters, - https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html#pod-id-considerations - https://docs.aws.amazon.com/eks/latest/userguide/pod-id-agent-setup.html Adding it into default iptables/ip6tables would be required. --- .../bootstrap-script.sh | 12 +++- .../validating-script.sh | 56 ++++++++++++++++++- 2 files changed, 65 insertions(+), 3 deletions(-) diff --git a/cis-bottlerocket-benchmark-eks/bottlerocket-cis-bootstrap-image/bootstrap-script.sh b/cis-bottlerocket-benchmark-eks/bottlerocket-cis-bootstrap-image/bootstrap-script.sh index 1ea0738..ca6f5b4 100644 --- a/cis-bottlerocket-benchmark-eks/bottlerocket-cis-bootstrap-image/bootstrap-script.sh +++ b/cis-bottlerocket-benchmark-eks/bottlerocket-cis-bootstrap-image/bootstrap-script.sh @@ -8,9 +8,13 @@ iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP -# Allow inbound traffic for kubelet (so kubectl logs/exec works) +# 3.4.1.1.1 Allow inbound traffic for kubelet (so kubectl logs/exec works) iptables -I INPUT -p tcp -m tcp --dport 10250 -j ACCEPT +# 3.4.1.1.2 Allow inbound traffic to communicate with Pod Identity +iptables -I INPUT -d 169.254.170.23/32 -p tcp -m tcp --dport 80 -m comment --comment "Allow communicate with Pod Identity" -j ACCEPT +iptables -I INPUT -d 169.254.170.23/32 -p tcp -m tcp --dport 2703 -m comment --comment "Allow communicate with Pod Identity" -j ACCEPT + # 3.4.1.2 Ensure IPv4 loopback traffic is configured (Automated) iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT @@ -32,9 +36,13 @@ ip6tables -P INPUT DROP ip6tables -P OUTPUT DROP ip6tables -P FORWARD DROP -# Allow inbound traffic for kubelet on ipv6 if needed (so kubectl logs/exec works) +# 3.4.2.1.1 Allow inbound traffic for kubelet on ipv6 if needed (so kubectl logs/exec works) ip6tables -A INPUT -p tcp --destination-port 10250 -j ACCEPT +# 3.4.2.1.2 Allow inbound traffic to communicate with Pod Identity +ip6tables -I INPUT -d fd00:ec2::23/128 -p tcp -m tcp --dport 80 -m comment --comment "Allow communicate with Pod Identity" -j ACCEPT +ip6tables -I INPUT -d fd00:ec2::23/128 -p tcp -m tcp --dport 2703 -m comment --comment "Allow communicate with Pod Identity" -j ACCEPT + # 3.4.2.2 Ensure IPv6 loopback traffic is configured (Automated) ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT diff --git a/cis-bottlerocket-benchmark-eks/bottlerocket-cis-validating-image/validating-script.sh b/cis-bottlerocket-benchmark-eks/bottlerocket-cis-validating-image/validating-script.sh index ddf1367..133339e 100644 --- a/cis-bottlerocket-benchmark-eks/bottlerocket-cis-validating-image/validating-script.sh +++ b/cis-bottlerocket-benchmark-eks/bottlerocket-cis-validating-image/validating-script.sh @@ -8,7 +8,7 @@ echo "This tool validates the Amazon EKS optimized AMI against CIS Bottlerocket Num_Of_Checks_Passed=0 -Total_Num_Of_Checks=26 +Total_Num_Of_Checks=30 function checkSysctlConfig() { @@ -285,6 +285,33 @@ else echo "Error Message: inputChain=$inputChain ForwardChain=$ForwardChain OutputChain=$OutputChain" fi +RECOMMENDATION="3.4.1.1.1 Allow inbound traffic for kubelet" +InputKubeletAccept=$(iptables -L INPUT -v -n | grep "ACCEPT" | grep "dpt:10250") +if [[ ! -z "$InputKubeletAccept" ]]; +then + echo "[PASS] $RECOMMENDATION" + Num_Of_Checks_Passed=$((Num_Of_Checks_Passed+1)) +else + echo "[FAIL] $RECOMMENDATION" + echo "Error Message: Rule for allowing inbound traffic for kubelet not found" +fi +#echo $InputKubeletAccept + + +RECOMMENDATION="3.4.1.1.2 Allow inbound traffic to communicate with Pod Identity" +InputPodIdentityAccept1=$(iptables -L INPUT -v -n | grep "ACCEPT" | grep "169.254.170.23/32" | grep "dpt:80") +InputPodIdentityAccept2=$(iptables -L INPUT -v -n | grep "ACCEPT" | grep "169.254.170.23/32" | grep "dpt:2703") +if [[ ! -z "$InputPodIdentityAccept1" ]] && [[ ! -z "$InputPodIdentityAccept2" ]]; +then + echo "[PASS] $RECOMMENDATION" + Num_Of_Checks_Passed=$((Num_Of_Checks_Passed+1)) +else + echo "[FAIL] $RECOMMENDATION" + echo "Error Message: Rule for allowing inbound traffic for Pod Identity not found" +fi +#echo $InputPodIdentityAccept + + RECOMMENDATION="3.4.1.2 Ensure IPv4 loopback traffic is configured (Automated)" InputAccept=$(iptables -L INPUT -v -n | grep "ACCEPT all" | awk '{print $8}') if [[ -z "$InputAccept" ]]; @@ -396,6 +423,33 @@ else fi +RECOMMENDATION="3.4.2.1.1 Allow inbound traffic for kubelet" +InputKubeletAccept=$(ip6tables -L INPUT -v -n | grep "ACCEPT" | grep "dpt:10250") +if [[ ! -z "$InputKubeletAccept" ]]; +then + echo "[PASS] $RECOMMENDATION" + Num_Of_Checks_Passed=$((Num_Of_Checks_Passed+1)) +else + echo "[FAIL] $RECOMMENDATION" + echo "Error Message: Rule for allowing inbound traffic for kubelet not found" +fi +#echo $InputKubeletAccept + + +RECOMMENDATION="3.4.2.1.2 Allow inbound traffic to communicate with Pod Identity" +InputPodIdentityAccept1=$(ip6tables -L INPUT -v -n | grep "ACCEPT" | grep "fd00:ec2::23/128" | grep "dpt:80") +InputPodIdentityAccept2=$(ip6tables -L INPUT -v -n | grep "ACCEPT" | grep "fd00:ec2::23/128" | grep "dpt:2703") +if [[ ! -z "$InputPodIdentityAccept1" ]] && [[ ! -z "$InputPodIdentityAccept2" ]]; +then + echo "[PASS] $RECOMMENDATION" + Num_Of_Checks_Passed=$((Num_Of_Checks_Passed+1)) +else + echo "[FAIL] $RECOMMENDATION" + echo "Error Message: Rule for allowing inbound traffic for Pod Identity not found" +fi +#echo $InputPodIdentityAccept + + RECOMMENDATION="3.4.2.2 Ensure IPv6 loopback traffic is configured (Automated)" InputAccept=$(ip6tables -L INPUT -v -n | grep "ACCEPT all" | awk '{print $7}') if [[ -z "$InputAccept" ]];