forked from aws-samples/hardeneks
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
824cd50
commit 07e1342
Showing
68 changed files
with
30,456 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
from ..resources import Resources | ||
from ..report import print_storage_class_table, print_persistent_volume_table | ||
|
||
|
||
def use_encryption_with_ebs(resources: Resources): | ||
offenders = [] | ||
|
||
for storage_class in resources.storage_classes: | ||
if storage_class.provisioner == "ebs.csi.aws.com": | ||
encrypted = storage_class.parameters.get("encrypted") | ||
if not encrypted: | ||
offenders.append(storage_class) | ||
elif encrypted == "false": | ||
offenders.append(storage_class) | ||
|
||
if offenders: | ||
print_storage_class_table( | ||
offenders, "EBS Storage Classes should have encryption parameter" | ||
) | ||
return offenders | ||
|
||
|
||
def use_encryption_with_efs(resources: Resources): | ||
offenders = [] | ||
|
||
for persistent_volume in resources.persistent_volumes: | ||
if persistent_volume.spec.csi.driver == "efs.csi.aws.com": | ||
mount_options = persistent_volume.spec.mount_options | ||
if not mount_options: | ||
offenders.append(persistent_volume) | ||
else: | ||
if "tls" not in mount_options: | ||
offenders.append(persistent_volume) | ||
|
||
if offenders: | ||
print_persistent_volume_table( | ||
offenders, "EFS Persistent volumes should have tls mount option" | ||
) | ||
return offenders | ||
|
||
|
||
def use_efs_access_points(resources: Resources): | ||
offenders = [] | ||
|
||
for persistent_volume in resources.persistent_volumes: | ||
if persistent_volume.spec.csi.driver == "efs.csi.aws.com": | ||
if "::" not in persistent_volume.spec.csi.volume_handle: | ||
offenders.append(persistent_volume) | ||
|
||
if offenders: | ||
print_persistent_volume_table( | ||
offenders, "EFS Persistent volumes should leverage access points" | ||
) | ||
return offenders |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
80 changes: 80 additions & 0 deletions
80
tests/data/check_default_deny_policy_exists/cluster/persistent_volumes_api_response.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
{ | ||
"apiVersion": "v1", | ||
"items": [ | ||
{ | ||
"apiVersion": "v1", | ||
"kind": "PersistentVolume", | ||
"metadata": { | ||
"annotations": { | ||
"kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"PersistentVolume\",\"metadata\":{\"annotations\":{},\"name\":\"bad\"},\"spec\":{\"accessModes\":[\"ReadWriteOnce\"],\"capacity\":{\"storage\":\"5Gi\"},\"csi\":{\"driver\":\"efs.csi.aws.com\",\"volumeHandle\":\"some_id\"},\"persistentVolumeReclaimPolicy\":\"Retain\",\"storageClassName\":\"efs-sc\",\"volumeMode\":\"Filesystem\"}}\n" | ||
}, | ||
"creationTimestamp": "2022-11-16T17:32:05Z", | ||
"finalizers": [ | ||
"kubernetes.io/pv-protection" | ||
], | ||
"name": "bad", | ||
"resourceVersion": "8168926", | ||
"uid": "01035bf3-4216-4ac5-89ba-6a476d8493d6" | ||
}, | ||
"spec": { | ||
"accessModes": [ | ||
"ReadWriteOnce" | ||
], | ||
"capacity": { | ||
"storage": "5Gi" | ||
}, | ||
"csi": { | ||
"driver": "efs.csi.aws.com", | ||
"volumeHandle": "some_id" | ||
}, | ||
"persistentVolumeReclaimPolicy": "Retain", | ||
"storageClassName": "efs-sc", | ||
"volumeMode": "Filesystem" | ||
}, | ||
"status": { | ||
"phase": "Available" | ||
} | ||
}, | ||
{ | ||
"apiVersion": "v1", | ||
"kind": "PersistentVolume", | ||
"metadata": { | ||
"annotations": { | ||
"kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"PersistentVolume\",\"metadata\":{\"annotations\":{},\"name\":\"good\"},\"spec\":{\"accessModes\":[\"ReadWriteOnce\"],\"capacity\":{\"storage\":\"5Gi\"},\"csi\":{\"driver\":\"efs.csi.aws.com\",\"volumeHandle\":\"some_id\"},\"mountOptions\":[\"tls\"],\"persistentVolumeReclaimPolicy\":\"Retain\",\"storageClassName\":\"efs-sc\",\"volumeMode\":\"Filesystem\"}}\n" | ||
}, | ||
"creationTimestamp": "2022-11-16T17:32:05Z", | ||
"finalizers": [ | ||
"kubernetes.io/pv-protection" | ||
], | ||
"name": "good", | ||
"resourceVersion": "8168922", | ||
"uid": "0e61bf80-4a32-470b-8a29-23df698bab78" | ||
}, | ||
"spec": { | ||
"accessModes": [ | ||
"ReadWriteOnce" | ||
], | ||
"capacity": { | ||
"storage": "5Gi" | ||
}, | ||
"csi": { | ||
"driver": "efs.csi.aws.com", | ||
"volumeHandle": "some_id" | ||
}, | ||
"mountOptions": [ | ||
"tls" | ||
], | ||
"persistentVolumeReclaimPolicy": "Retain", | ||
"storageClassName": "efs-sc", | ||
"volumeMode": "Filesystem" | ||
}, | ||
"status": { | ||
"phase": "Available" | ||
} | ||
} | ||
], | ||
"kind": "List", | ||
"metadata": { | ||
"resourceVersion": "" | ||
} | ||
} |
Oops, something went wrong.