search

aws-samples / hardeneks

Runs checks to see if an EKS cluster follows EKS Best Practices.
https://aws-samples.github.io/hardeneks/
MIT No Attribution
840 stars 89 forks source link

False Positive with "Update the aws-node daemonset to use IRSA." #28

Closed NickTheSecurityDude closed 1 year ago

NickTheSecurityDude commented 1 year ago

It seems there is a possible false positive with: iam-->Cluster Wide-->Update the aws-node daemonset to use IRSA. Resource: aws-node

I have "aws-node" as a service account, with a different role than the node, and its reporting as false/non-compliant:

% kubectl get daemonset aws-node -n kube-system -o json | jq ".spec.template.spec.serviceAccountName"
"aws-node"

Here is the IRSA role which I'm using:

kubectl get serviceaccount aws-node -nkube-system -o json | jq ".metadata.annotations" |grep arn
  "eks.amazonaws.com/role-arn": "arn:aws:iam::123456789012:role/eksctl-cluster-addon-iamserviceacc-Role1-JO4O8EGBK9J3",

If IRSA is not used, then the annotation "eks.amazonaws.com/role-arn" is not present.

Ergo, the compliance check could look for that annotation instead of checking the serviceAccountName.

dorukozturk commented 1 year ago

Will take a look at it this week too. Thank you very much for taking the time, using it and creating issues.

NickTheSecurityDude commented 1 year ago

Something along these lines may work:

v1 = client.CoreV1Api()
service_account=v1.read_namespaced_service_account(name="aws-node", namespace="kube-system")
if 'eks.amazonaws.com/role-arn' in service_account.metadata.annotations:
  print("Compliant/True")
else:
  print("Non-compliant/False")
dorukozturk commented 1 year ago

Again great contribution. Thank you very much for clean description of the issue and catching these bugs.