ADR: Hardened EKS AMI

[ntwkninja]

Building STIG-compliant amis for EKS

• Consider using Amazon Linux 2 CIS STIG ami & adding the EKS binaries
• Consider using bottlerocket AMI eventually

Related Issues: FIPS EKS AMI issue FIPS Bottlerocket issue

Edit: EC2 image builder is inconsistent for things in the user_data and if we're going to do something custom, we may want to consider packer.

Definition of Done:

• [ ] ADR decision has been recorded

[RothAndrew]

Is this meant to be a research spike/ADR? Or to actually change which AMI is used by the examples?

Currently:

• It doesn't seem like the module(s) have any say or care what AMI is being used. The examples pass in the nodegroup definitions which will include which AMI to use
• The examples currently use Amazon Linux 2 (the regular one that everyone uses)

Notes:

• If we want the modules to be "secure by default" they should somehow specify which AMI is used. If we need it to be overridable then IMO we should have some kind of allow_insecure_vars = true variable.

[ntwkninja]

Yes, was intended to be a research spike.

Also, agree @RothAndrew

I think there would be a lot of benefit to standardizing on an aws-supported distroless AMI for EKS (bottlerocket) and allowing users to set the flag mentioned if they prefer a different option.

[ntwkninja]

This PR added bottlerocket node group example