Closed NickTheSecurityDude closed 1 year ago
Will take a look at it this week too. Thank you very much for taking the time, using it and creating issues.
Something along these lines may work:
v1 = client.CoreV1Api()
service_account=v1.read_namespaced_service_account(name="aws-node", namespace="kube-system")
if 'eks.amazonaws.com/role-arn' in service_account.metadata.annotations:
print("Compliant/True")
else:
print("Non-compliant/False")
Again great contribution. Thank you very much for clean description of the issue and catching these bugs.
It seems there is a possible false positive with: iam-->Cluster Wide-->Update the aws-node daemonset to use IRSA. Resource: aws-node
I have "aws-node" as a service account, with a different role than the node, and its reporting as false/non-compliant:
Here is the IRSA role which I'm using:
If IRSA is not used, then the annotation "eks.amazonaws.com/role-arn" is not present.
Ergo, the compliance check could look for that annotation instead of checking the serviceAccountName.