Exclude EKS system account ID China region

fluxcd · Apr 7, 2020 · 8cdca51 · 8cdca51
1 parent d316e04
commit 8cdca51
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/cmd/fluxd/main.go b/cmd/fluxd/main.go
@@ -165,7 +165,7 @@ func main() {
 		// AWS authentication
 		registryAWSRegions         = fs.StringSlice("registry-ecr-region", nil, "include just these AWS regions when scanning images in ECR; when not supplied, the cluster's region will included if it can be detected through the AWS API")
 		registryAWSAccountIDs      = fs.StringSlice("registry-ecr-include-id", nil, "restrict ECR scanning to these AWS account IDs; if not supplied, all account IDs that aren't excluded may be scanned")
-		registryAWSBlockAccountIDs = fs.StringSlice("registry-ecr-exclude-id", []string{registry.EKS_SYSTEM_ACCOUNT}, "do not scan ECR for images in these AWS account IDs; the default is to exclude the EKS system account")
+		registryAWSBlockAccountIDs = fs.StringSlice("registry-ecr-exclude-id", []string{registry.EKS_SYSTEM_ACCOUNT, registry.EKS_SYSTEM_ACCOUNT_CN}, "do not scan ECR for images in these AWS account IDs; the default is to exclude the EKS system accounts")
 
 		registryRequire = fs.StringSlice("registry-require", nil, fmt.Sprintf(`exit with an error if auto-authentication with any of the given registries is not possible (possible values: {%s})`, strings.Join(RequireValues, ",")))
 

diff --git a/pkg/registry/aws.go b/pkg/registry/aws.go
@@ -34,6 +34,7 @@ const (
 	embargoDuration = 10 * time.Minute
 
 	EKS_SYSTEM_ACCOUNT = "602401143452"
+	EKS_SYSTEM_ACCOUNT_CN = "918309763551"
 )
 
 // AWSRegistryConfig supplies constraints for scanning AWS (ECR) image