Is your idea request related to a problem that you've solved? Please describe.
When running a third party security scanning tool on EKS, it shows below compliance items for cloudwatch pods.
Container is running as root
(CIS_Docker_v1.3.1 - 5.3) Restrict Linux kernel capabilities within containers
(CIS_Docker_v1.3.1 - 5.9) Do not share the host's network namespace
(CIS_Docker_v1.3.1 - 5.12) Mount container's root filesystem as read only
(CIS_Docker_v1.3.1 - 5.20) Do not share the host's UTS namespace
(CIS_Docker_v1.3.1 - 5.21) Do not disable default seccomp profile
(CIS_Docker_v1.3.1 - 5.25) Restrict container from acquiring additional privileges
(CIS_Docker_v1.3.1 - 5.28) Use PIDs cgroup limit
(CIS_Docker_v1.3.1 - 5.10) Limit memory usage for container
Is your idea request related to a problem that you've solved? Please describe. When running a third party security scanning tool on EKS, it shows below compliance items for cloudwatch pods.
Describe the best practice NA
Describe alternatives you've considered NA
Additional context Following EKS security best practices "Pod security" for aws-node pods "https://aws.github.io/aws-eks-best-practices/security/docs/pods/". I am aware that, if these compliance items are handled, then the aws-node pods will stop working.
Reported Compliance items for aws-node pods.
image: 602401143452.dkr.ecr.eu-west-3.amazonaws.com/amazon-k8s-cni:v1.10.1-eksbuild.1
Container is running as root (CIS_Docker_v1.3.1 - 5.3) Restrict Linux kernel capabilities within containers (CIS_Docker_v1.3.1 - 5.9) Do not share the host's network namespace (CIS_Docker_v1.3.1 - 5.12) Mount container's root filesystem as read only (CIS_Docker_v1.3.1 - 5.20) Do not share the host's UTS namespace (CIS_Docker_v1.3.1 - 5.21) Do not disable default seccomp profile (CIS_Docker_v1.3.1 - 5.25) Restrict container from acquiring additional privileges (CIS_Docker_v1.3.1 - 5.28) Use PIDs cgroup limit (CIS_Docker_v1.3.1 - 5.10) Limit memory usage for container