search

aws / aws-eks-best-practices

A best practices guide for day 2 operations, including operational excellence, security, reliability, performance efficiency, and cost optimization.
https://aws.github.io/aws-eks-best-practices/
Other
2.01k stars 489 forks source link

aws-node pods shows below compliance items #178

Open singhnix opened 2 years ago

singhnix commented 2 years ago

Is your idea request related to a problem that you've solved? Please describe. When running a third party security scanning tool on EKS, it shows below compliance items for cloudwatch pods.

Describe the best practice NA

Describe alternatives you've considered NA

Additional context Following EKS security best practices "Pod security" for aws-node pods "https://aws.github.io/aws-eks-best-practices/security/docs/pods/". I am aware that, if these compliance items are handled, then the aws-node pods will stop working.

Reported Compliance items for aws-node pods.

image: 602401143452.dkr.ecr.eu-west-3.amazonaws.com/amazon-k8s-cni:v1.10.1-eksbuild.1

Container is running as root (CIS_Docker_v1.3.1 - 5.3) Restrict Linux kernel capabilities within containers (CIS_Docker_v1.3.1 - 5.9) Do not share the host's network namespace (CIS_Docker_v1.3.1 - 5.12) Mount container's root filesystem as read only (CIS_Docker_v1.3.1 - 5.20) Do not share the host's UTS namespace (CIS_Docker_v1.3.1 - 5.21) Do not disable default seccomp profile (CIS_Docker_v1.3.1 - 5.25) Restrict container from acquiring additional privileges (CIS_Docker_v1.3.1 - 5.28) Use PIDs cgroup limit (CIS_Docker_v1.3.1 - 5.10) Limit memory usage for container

jicowan commented 2 years ago

@singhnix Same as my other comments.