Add EKS Best practices policies

config/samples/policies/check-amazon-inspector.yaml

@@ -0,0 +1,28 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-amazon-inspector
+  annotations:
+    policies.kyverno.io/title: Check Amazon Inspector for EC2 and ECR
+    policies.kyverno.io/category: EKS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Cluster
+    policies.kyverno.io/description: >-
+      Amazon Inspector is not enabled on both EC2 and ECR
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: check-amazon-inspector
+      match:
+        any:
+        - resources:
+            kinds:
+              - AWSAdapterConfig
+      validate:
+        message: "Amazon Inspector must be enabled on EC2 and ECR"
+        pattern:
+          status:
+            accountData:
+              inspectorEnabledEC2: true
+              inspectorEnabledECR: true

config/samples/policies/check-immutable-tags-ecr.yaml

@@ -0,0 +1,27 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-immutable-tags-ecr
+  annotations:
+    policies.kyverno.io/title: Check Immutable Tags for ECR
+    policies.kyverno.io/category: EKS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Cluster
+    policies.kyverno.io/description: >-
+      Immutable tags are not enabled on all ECR repositories.  
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: check-immutable-tag
+      match:
+        any:
+        - resources:
+            kinds:
+              - AWSAdapterConfig
+      validate:
+        message: "The `imageTagMutable` field must set to true on all ECR repositories."
+        foreach:
+        - list: "request.object.status.ecrRepositories[]"
+          pattern:
+            imageTagMutable: true

config/samples/policies/check-instance-profile-access.yaml

@@ -0,0 +1,29 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-instance-profile-access
+  annotations:
+    policies.kyverno.io/title: Check Access to Instance Profile
+    policies.kyverno.io/category: EKS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Cluster
+    policies.kyverno.io/description: >-
+      Restrict access to the instance profile assigned to nodes
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: check-instance-profile-access
+      match:
+        any:
+        - resources:
+            kinds:
+              - AWSAdapterConfig
+      validate:
+        message: "Restrict access to the instance profile assigned to nodes"
+        foreach:
+        - list: "request.object.status.eksCluster.compute.reservations[]"
+          pattern:
+            instances:
+            - httpPutResponseHopLimit: "!2"
+

config/samples/policies/check-public-dns.yaml

@@ -0,0 +1,28 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-public-dns
+  annotations:
+    policies.kyverno.io/title: Check Public DNSName
+    policies.kyverno.io/category: EKS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Cluster
+    policies.kyverno.io/description: >-
+      Deploy workers onto private subnets. If a public DNSName exists, then it means the worker is deployed on a public subnet
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: check-public-dns
+      match:
+        any:
+        - resources:
+            kinds:
+              - AWSAdapterConfig
+      validate:
+        message: "Deploy workers onto private subnets. If a public DNSName exists, then it means the worker is deployed on a public subnet."
+        foreach:
+        - list: "request.object.status.eksCluster.compute.reservations[]"
+          pattern:
+            instances:
+            - X(publicDnsName): "null"

config/samples/policies/check-vpc-flow-logs.yaml

@@ -0,0 +1,29 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-vpc-flow-logs
+  annotations:
+    policies.kyverno.io/title: Check VPC Flow Logs
+    policies.kyverno.io/category: EKS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Cluster
+    policies.kyverno.io/description: >-
+      VPC Flow logs are not enabled.
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: check-vpc-flow-logs
+      match:
+        any:
+        - resources:
+            kinds:
+              - AWSAdapterConfig
+      validate:
+        message: "Flow logs must be enabled for the VPC"
+        pattern:
+          status:
+            eksCluster:
+              networking:
+                vpc:
+                  flowLogsEnabled: true