Closed kumar-mallikarjuna closed 1 year ago
Issue
Changes
Ensure workers are deployed to private subnets a. Example payload here b. Example code
Added reservations field.
reservations
Run Amazon Inspector a. Example payload here b. Example code
Added accountData.
accountData
Check VPC Flow Logs a. Example payload here b. Example code c. Need to do a second call to EC2 API to get VPC Flow Log information
Added flowLogsEnabled.
flowLogsEnabled
Check access to instance profile a. Example payload here b. Example code
Added httpPutResponseHopLimit.
httpPutResponseHopLimit
Use immutable tags with ECR a. Example payload here b. Example code
Added ecrRepositories.
ecrRepositories
Sample CR
apiVersion: security.nirmata.io/v1alpha1 kind: AWSAdapterConfig metadata: annotations: meta.helm.sh/release-name: kyverno-aws-adapter meta.helm.sh/release-namespace: nirmata-aws-adapter creationTimestamp: "2023-01-04T06:34:39Z" generation: 1 labels: app.kubernetes.io/instance: kyverno-aws-adapter app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kyverno-aws-adapter app.kubernetes.io/version: v0.1.0 helm.sh/chart: kyverno-aws-adapter-v0.1.1 name: kyverno-aws-adapter namespace: nirmata-aws-adapter resourceVersion: "368060" uid: 0f9a851a-0b34-4995-8df4-575aed940e48 spec: name: aws-kyverno-adapter-test region: us-west-1 status: accountData: id: "844333597536" inspectorEnabledEC2: false inspectorEnabledECR: false ecrRepositories: - imageTagMutable: false repositoryName: nirmata/busybox repositoryUri: 844333597536.dkr.ecr.us-west-1.amazonaws.com/nirmata/busybox - imageTagMutable: false repositoryName: nirmata/nginx repositoryUri: 844333597536.dkr.ecr.us-west-1.amazonaws.com/nirmata/nginx eksCluster: addons: - coredns - kube-proxy - vpc-cni arn: arn:aws:eks:us-west-1:844333597536:cluster/aws-kyverno-adapter-test certificate: <> compute: nodeGroups: - amiReleaseVersion: 1.22.15-20221222 amiType: AL2_x86_64 capacityType: ON_DEMAND createdAt: 2023-01-03 05:38:54.36 +0000 UTC diskSize: 20 instanceTypes: - t3.medium name: node-group-0 nodeGroupArn: arn:aws:eks:us-west-1:844333597536:nodegroup/aws-kyverno-adapter-test/node-group-0/16c2bb11-e0e6-2543-810b-17f7541a580a nodeRole: arn:aws:iam::844333597536:role/viv-worker-node-policy resources: autoScalingGroups: - eks-node-group-0-16c2bb11-e0e6-2543-810b-17f7541a580a scalingConfig: desiredSize: 1 maxSize: 2 minSize: 1 status: ACTIVE subnets: - subnet-24778d42 - subnet-3ee0f665 updateConfig: maxUnavailable: 1 reservations: - instances: - httpPutResponseHopLimit: 2 publicDnsName: ec2-54-241-211-12.us-west-1.compute.amazonaws.com createdAt: 2023-01-03 04:36:08.965 +0000 UTC endpoint: https://AEC105B316714BE603A2BCEC5579D32A.yl4.us-west-1.eks.amazonaws.com kubernetesVersion: "1.22" logging: apiServer: false audit: false authenticator: false controllerManager: false scheduler: false name: aws-kyverno-adapter-test networking: ipFamily: ipv4 serviceIPv4CIDR: 10.100.0.0/16 vpc: clusterSecurityGroupID: sg-08553dd5e9e264490 endpointPublicAccess: true flowLogsEnabled: true publicAccessCIDRs: - 0.0.0.0/0 subnetIDs: - subnet-24778d42 - subnet-3ee0f665 vpcID: vpc-1ef6fd79 platformVersion: eks.9 region: us-west-1 roleArn: arn:aws:iam::844333597536:role/vivek-eks-role status: ACTIVE tags: DoNotDelete: "" alpha.eksctl.io/cluster-oidc-enabled: "true" lastPollInfo: status: success timestamp: "2023-01-04T13:35:23Z" lastUpdatedTimestamp: "2023-01-04T13:35:23Z"
New IAM Policy Requirements
"Actions": [ "ec2:DescribeInstances", "ec2:DescribeFlowLogs", "ecr:DescribeRepositories", "inspector2:BatchGetAccountStatus" ]
Issue
Changes
Added
reservations
field.Added
accountData
.Added
flowLogsEnabled
.Added
httpPutResponseHopLimit
.Added
ecrRepositories
.Sample CR
New IAM Policy Requirements