Open dims opened 1 year ago
this would be very helpful to support "ready to use" solutions that enable users to create their own hardened AMIs. We have some changes coming to https://github.com/aws-samples/amazon-eks-custom-amis which will provide a deployable solution into customer accounts that creates the AMI pipeline, applies "hardening" changes to meet various compliance requirements (CIS, STIG, FedRAMP, etc.), and validates with OpenSCAP but the one missing pieces is testing and validating the resulting AMI to ensure it works in a Kubernetes cluster as intended
When folks customize their AMI(s) it would be good to have some way to validate that they haven't broken any expectations of the maintainers of this repository ( with a basic sanity/sniff test). This will possibly help reduce the time to iterate trying each change over and over again.
For example, in the upstream CAPI project called image-builder, they use a tool called
goss
:Here's their readme/howto:
Here's a quick search of that codebase:
Here's an example where they check for some kernel parameters are set correctly: