add AWSAdapterConfig policies

config/samples/policies/check-cluster-endpoint.yaml

@@ -0,0 +1,29 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-cluster-endpoint
+  annotations:
+    policies.kyverno.io/title: Check Public Endpoint
+    policies.kyverno.io/category: EKS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Cluster
+    policies.kyverno.io/description: >-
+      Cluster endpoint should not be public.
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: check-cluster-endpoint
+      match:
+        any:
+        - resources:
+            kinds:
+              - AWSAdapterConfig
+      validate:
+        message: "The cluster endpoint should not be public. The field status.eksCluster.networking.vpc.endpointPublicAccess must equal false."
+        pattern:
+          status:
+            eksCluster:
+              networking:
+                vpc:
+                  endpointPublicAccess: "false"

config/samples/policies/check-cluster-logging.yaml

@@ -0,0 +1,28 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-cluster-logging
+  annotations:
+    policies.kyverno.io/title: Check Cluster Logging
+    policies.kyverno.io/category: EKS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Cluster
+    policies.kyverno.io/description: >-
+      Cluster logging should be enabled.
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: check-cluster-audit-logging
+      match:
+        any:
+        - resources:
+            kinds:
+              - AWSAdapterConfig
+      validate:
+        message: "Audit logging should be enabled. The field status.eksCluster.logging.audit must equal true."
+        pattern:
+          status:
+            eksCluster:
+              logging:
+                audit: true

config/samples/policies/check-cluster-remote-access.yaml

@@ -0,0 +1,29 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-cluster-remote-access
+  annotations:
+    policies.kyverno.io/title: Check Cluster Remote Access
+    policies.kyverno.io/category: EKS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Cluster
+    policies.kyverno.io/description: >-
+      Cluster remote access should be disabled.
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: check-cluster-remote-access
+      match:
+        any:
+        - resources:
+            kinds:
+              - AWSAdapterConfig
+      validate:
+        message: "Remote access should be disabled. The field status.eksCluster.compute.nodeGroups must not define remoteAccessConfig."
+        pattern:
+          status:
+            eksCluster:
+              compute:
+                nodeGroups:
+                  - X(remoteAccessConfig): "null"

config/samples/policies/check-cluster-rolearn.yaml

@@ -0,0 +1,27 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-cluster-rolearn
+  annotations:
+    policies.kyverno.io/title: Check Cluster Role ARN
+    policies.kyverno.io/category: EKS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Cluster
+    policies.kyverno.io/description: >-
+      Incorrect cluster role ARN is used. Requires customization with your role ARN.
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: check-cluster-role-arn
+      match:
+        any:
+        - resources:
+            kinds:
+              - AWSAdapterConfig
+      validate:
+        message: "Invalid cluster role ARN is being used. The field status.eksCluster.roleArn must be set to arn:aws:iam::844333597536:role/standard-eks-role."
+        pattern:
+          status:
+            eksCluster:
+              roleArn: arn:aws:iam::844333597536:role/standard-eks-role

config/samples/policies/check-cluster-secrets-encryption.yaml

@@ -0,0 +1,29 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-cluster-secrets-encryption
+  annotations:
+    policies.kyverno.io/title: Check Cluster Secrets Encryption
+    policies.kyverno.io/category: EKS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Cluster
+    policies.kyverno.io/description: >-
+      Cluster secrets encryption should be enabled.
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: check-cluster-secrets-encryption
+      match:
+        any:
+        - resources:
+            kinds:
+              - AWSAdapterConfig
+      validate:
+        message: "Secrets encryption should be enabled. The field status.eksCluster.encryptionConfig must be defined."
+        deny:
+          conditions:
+            all:
+            - key: "{{ request.object.status.eksCluster.encryptionConfig[].keys(@) || `[]` | length(@) }}"
+              operator: Equals
+              value: 0

config/samples/policies/check-cluster-tags.yaml

@@ -0,0 +1,28 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-cluster-tags
+  annotations:
+    policies.kyverno.io/title: Check Cluster Tags
+    policies.kyverno.io/category: EKS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Cluster
+    policies.kyverno.io/description: >-
+      Required tags are missing on the cluster.  
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: check-department-tag
+      match:
+        any:
+        - resources:
+            kinds:
+              - AWSAdapterConfig
+      validate:
+        message: "The `department` tag on the cluster is required. The field status.eksConfig.tags.department must exist with some value."
+        pattern:
+          status:
+            eksConfig:
+              tags:
+                department: "?*"