Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add AWSAdapterConfig policies #26

Merged
merged 3 commits into from
Dec 1, 2022
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions policies/check-cluster-endpoint.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-cluster-endpoint
annotations:
policies.kyverno.io/title: Check Public Endpoint
policies.kyverno.io/category: EKS Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Cluster
policies.kyverno.io/description: >-
Cluster endpoint should not be public.
spec:
validationFailureAction: audit
background: true
rules:
- name: check-cluster-endpoint
match:
any:
- resources:
kinds:
- AWSAdapterConfig
validate:
message: "The cluster endpoint should not be public. The field status.eksCluster.networking.vpc.endpointPublicAccess must equal false."
pattern:
status:
eksCluster:
networking:
vpc:
endpointPublicAccess: "false"
28 changes: 28 additions & 0 deletions policies/check-cluster-logging.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-cluster-logging
annotations:
policies.kyverno.io/title: Check Cluster Logging
policies.kyverno.io/category: EKS Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Cluster
policies.kyverno.io/description: >-
Cluster logging should be enabled.
spec:
validationFailureAction: audit
background: true
rules:
- name: check-cluster-audit-logging
match:
any:
- resources:
kinds:
- AWSAdapterConfig
validate:
message: "Audit logging should be enabled. The field status.eksCluster.logging.audit must equal true."
pattern:
status:
eksCluster:
logging:
audit: true
29 changes: 29 additions & 0 deletions policies/check-cluster-remote-access.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-cluster-remote-access
annotations:
policies.kyverno.io/title: Check Cluster Remote Access
policies.kyverno.io/category: EKS Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Cluster
policies.kyverno.io/description: >-
Cluster remote access should be disabled.
spec:
validationFailureAction: audit
background: true
rules:
- name: check-cluster-remote-access
match:
any:
- resources:
kinds:
- AWSAdapterConfig
validate:
message: "Remote access should be disabled. The field status.eksCluster.compute.nodeGroups must not define remoteAccessConfig."
pattern:
status:
eksCluster:
compute:
nodeGroups:
- X(remoteAccessConfig): "null"
27 changes: 27 additions & 0 deletions policies/check-cluster-rolearn.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-cluster-rolearn
annotations:
policies.kyverno.io/title: Check Cluster Role ARN
policies.kyverno.io/category: EKS Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Cluster
policies.kyverno.io/description: >-
Incorrect cluster role ARN is used. Requires customization with your role ARN.
spec:
validationFailureAction: audit
background: true
rules:
- name: check-cluster-role-arn
match:
any:
- resources:
kinds:
- AWSAdapterConfig
validate:
message: "Invalid cluster role ARN is being used. The field status.eksCluster.roleArn must be set to arn:aws:iam::844333597536:role/standard-eks-role."
pattern:
status:
eksCluster:
roleArn: arn:aws:iam::844333597536:role/standard-eks-role
29 changes: 29 additions & 0 deletions policies/check-cluster-secrets-encryption.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-cluster-secrets-encryption
annotations:
policies.kyverno.io/title: Check Cluster Secrets Encryption
policies.kyverno.io/category: EKS Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Cluster
policies.kyverno.io/description: >-
Cluster secrets encryption should be enabled.
spec:
validationFailureAction: audit
background: true
rules:
- name: check-cluster-secrets-encryption
match:
any:
- resources:
kinds:
- AWSAdapterConfig
validate:
message: "Secrets encryption should be enabled. The field status.eksCluster.encryptionConfig must be defined."
deny:
conditions:
all:
- key: "{{ request.object.status.eksCluster.encryptionConfig[].keys(@) || `[]` | length(@) }}"
operator: Equals
value: 0
28 changes: 28 additions & 0 deletions policies/check-cluster-tags.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-cluster-tags
annotations:
policies.kyverno.io/title: Check Cluster Tags
policies.kyverno.io/category: EKS Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Cluster
policies.kyverno.io/description: >-
Required tags are missing on the cluster.
spec:
validationFailureAction: audit
background: true
rules:
- name: check-department-tag
match:
any:
- resources:
kinds:
- AWSAdapterConfig
validate:
message: "The `department` tag on the cluster is required. The field status.eksConfig.tags.department must exist with some value."
pattern:
status:
eksConfig:
tags:
department: "?*"