search

aws-samples / hardeneks

Runs checks to see if an EKS cluster follows EKS Best Practices.
https://aws-samples.github.io/hardeneks/
MIT No Attribution
862 stars 91 forks source link

System ClusterRoles should have '*' in Verbs or Resources and Maybe Others? #11

Closed joshkurz closed 1 year ago

joshkurz commented 1 year ago

Should there be a way to ignore a set of ClusterRoles from flagging this? We may want to allow some system level ClusterRoles to have * in them. This would allow for cluster that are spun up with basic settings to pass. I don't think any EKS clusters would actually pass this unless you go in and modify these directly. Which sounds worse than having this flag.

If there is no option to filter ClusterRoles, then there should at least be examples of how to properly set these ClusterRoles, without the user having to go through the hard work.

Here is an example of a fresh cluster that was just built.

──────────────────────────────────────────── ClusterRoles should not have '*' in Verbs or Resources ───────────────────────────────────────────────╮
│ ┏━━━━━━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓                                                                           │
│ ┃ Kind        ┃ Namespace ┃ Name                                        ┃                                                                           │
│ ┡━━━━━━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩                                                                           │
│ │ ClusterRole │           │ aws-node                                    │                                                                           │
│ │ ClusterRole │           │ cluster-admin                               │                                                                           │
│ │ ClusterRole │           │ cluster-admin                               │                                                                           │
│ │ ClusterRole │           │ cluster-admin                               │                                                                           │
│ │ ClusterRole │           │ eks:addon-manager                           │                                                                           │
│ │ ClusterRole │           │ eks:cloud-controller-manager                │                                                                           │
│ │ ClusterRole │           │ system:controller:generic-garbage-collector │                                                                           │
│ │ ClusterRole │           │ system:controller:horizontal-pod-autoscaler │                                                                           │
│ │ ClusterRole │           │ system:controller:namespace-controller      │                                                                           │
│ │ ClusterRole │           │ system:controller:resourcequota-controller  │                                                                           │
│ │ ClusterRole │           │ system:kube-controller-manager              │                                                                           │
│ │ ClusterRole │           │ system:kubelet-api-admin

Another benefit of adding an ignore option for ClusterRole would be, users would be able to pass their own in if they wanted too, because they are running a third party ClusterRole that they cant modify.

dorukozturk commented 1 year ago

Thank you very much for the issue. I think a configurable filter would be a good addition. I will look into adding that to the yaml configuration.