Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: close gaps in EKS Best Practices #53

Merged
merged 6 commits into from
Jan 5, 2023
Merged

feat: close gaps in EKS Best Practices #53

merged 6 commits into from
Jan 5, 2023

Conversation

kumar-mallikarjuna
Copy link
Contributor

@kumar-mallikarjuna kumar-mallikarjuna commented Jan 4, 2023
edited
Loading

Issue

Changes

  1. Ensure workers are deployed to private subnets
    a. Example payload here
    b. Example code

    Added reservations field.

  2. Run Amazon Inspector
    a. Example payload here
    b. Example code

    Added accountData.

  3. Check VPC Flow Logs
    a. Example payload here
    b. Example code
    c. Need to do a second call to EC2 API to get VPC Flow Log information

    Added flowLogsEnabled.

  4. Check access to instance profile
    a. Example payload here
    b. Example code

    Added httpPutResponseHopLimit.

  5. Use immutable tags with ECR
    a. Example payload here
    b. Example code

    Added ecrRepositories.

Sample CR

apiVersion: security.nirmata.io/v1alpha1
kind: AWSAdapterConfig
metadata:
  annotations:
    meta.helm.sh/release-name: kyverno-aws-adapter
    meta.helm.sh/release-namespace: nirmata-aws-adapter
  creationTimestamp: "2023-01-04T06:34:39Z"
  generation: 1
  labels:
    app.kubernetes.io/instance: kyverno-aws-adapter
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: kyverno-aws-adapter
    app.kubernetes.io/version: v0.1.0
    helm.sh/chart: kyverno-aws-adapter-v0.1.1
  name: kyverno-aws-adapter
  namespace: nirmata-aws-adapter
  resourceVersion: "368060"
  uid: 0f9a851a-0b34-4995-8df4-575aed940e48
spec:
  name: aws-kyverno-adapter-test
  region: us-west-1
status:
  accountData:
    id: "844333597536"
    inspectorEnabledEC2: false
    inspectorEnabledECR: false
  ecrRepositories:
  - imageTagMutable: false
    repositoryName: nirmata/busybox
    repositoryUri: 844333597536.dkr.ecr.us-west-1.amazonaws.com/nirmata/busybox
  - imageTagMutable: false
    repositoryName: nirmata/nginx
    repositoryUri: 844333597536.dkr.ecr.us-west-1.amazonaws.com/nirmata/nginx
  eksCluster:
    addons:
    - coredns
    - kube-proxy
    - vpc-cni
    arn: arn:aws:eks:us-west-1:844333597536:cluster/aws-kyverno-adapter-test
    certificate: <>
    compute:
      nodeGroups:
      - amiReleaseVersion: 1.22.15-20221222
        amiType: AL2_x86_64
        capacityType: ON_DEMAND
        createdAt: 2023-01-03 05:38:54.36 +0000 UTC
        diskSize: 20
        instanceTypes:
        - t3.medium
        name: node-group-0
        nodeGroupArn: arn:aws:eks:us-west-1:844333597536:nodegroup/aws-kyverno-adapter-test/node-group-0/16c2bb11-e0e6-2543-810b-17f7541a580a
        nodeRole: arn:aws:iam::844333597536:role/viv-worker-node-policy
        resources:
          autoScalingGroups:
          - eks-node-group-0-16c2bb11-e0e6-2543-810b-17f7541a580a
        scalingConfig:
          desiredSize: 1
          maxSize: 2
          minSize: 1
        status: ACTIVE
        subnets:
        - subnet-24778d42
        - subnet-3ee0f665
        updateConfig:
          maxUnavailable: 1
      reservations:
      - instances:
        - httpPutResponseHopLimit: 2
          publicDnsName: ec2-54-241-211-12.us-west-1.compute.amazonaws.com
    createdAt: 2023-01-03 04:36:08.965 +0000 UTC
    endpoint: https://AEC105B316714BE603A2BCEC5579D32A.yl4.us-west-1.eks.amazonaws.com
    kubernetesVersion: "1.22"
    logging:
      apiServer: false
      audit: false
      authenticator: false
      controllerManager: false
      scheduler: false
    name: aws-kyverno-adapter-test
    networking:
      ipFamily: ipv4
      serviceIPv4CIDR: 10.100.0.0/16
      vpc:
        clusterSecurityGroupID: sg-08553dd5e9e264490
        endpointPublicAccess: true
        flowLogsEnabled: true
        publicAccessCIDRs:
        - 0.0.0.0/0
        subnetIDs:
        - subnet-24778d42
        - subnet-3ee0f665
        vpcID: vpc-1ef6fd79
    platformVersion: eks.9
    region: us-west-1
    roleArn: arn:aws:iam::844333597536:role/vivek-eks-role
    status: ACTIVE
    tags:
      DoNotDelete: ""
      alpha.eksctl.io/cluster-oidc-enabled: "true"
  lastPollInfo:
    status: success
    timestamp: "2023-01-04T13:35:23Z"
  lastUpdatedTimestamp: "2023-01-04T13:35:23Z"

New IAM Policy Requirements

"Actions": [
  "ec2:DescribeInstances",
  "ec2:DescribeFlowLogs",
  "ecr:DescribeRepositories",
  "inspector2:BatchGetAccountStatus"
]

@kumar-mallikarjuna kumar-mallikarjuna changed the title feat: close gaps feat: close gaps in EKS Best Practices Jan 4, 2023
@pns-nirmata pns-nirmata merged commit e1c95ec into nirmata:main Jan 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pns-nirmata pns-nirmata pns-nirmata approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Gaps to close
3 participants
@kumar-mallikarjuna @pns-nirmata @pankajatnirmata