feat: Add check for managed node groups

joshkurz · Feb 2, 2023 · 18dc47c · 18dc47c
1 parent 57c7ec1
commit 18dc47c
Show file tree

Hide file tree

Showing 5 changed files with 1,677 additions and 4 deletions.
diff --git a/hardeneks/cluster_wide/cluster_autoscaling/cluster_autoscaler.py b/hardeneks/cluster_wide/cluster_autoscaling/cluster_autoscaler.py
@@ -4,9 +4,7 @@
 
 from hardeneks import console
 from ...resources import Resources
-from ...report import (
-    print_role_action_table,
-)
+from ...report import print_role_action_table, print_node_table
 
 
 def _get_policy_documents_for_role(role_name, iam_client):
@@ -197,3 +195,28 @@ def employ_least_privileged_access_cluster_autoscaler_role(
                     return True
 
     return False
+
+
+def use_managed_nodegroups(resources: Resources):
+
+    offenders = []
+    nodes = client.CoreV1Api().list_node().items
+
+    for node in nodes:
+        labels = node.metadata.labels
+        if "eks.amazonaws.com/nodegroup" in labels.keys():
+            pass
+        elif "alpha.eksctl.io/nodegroup-name" in labels.keys():
+            offenders.append(node)
+        elif "karpenter.sh/provisioner-name" in labels.keys():
+            pass
+        else:
+            offenders.append(node)
+
+    if offenders:
+        print_node_table(
+            offenders,
+            "[red]Following nodes are not part of a managed noge group.",
+            "[link=https://aws.github.io/aws-eks-best-practices/cluster-autoscaling/#configuring-your-node-groups]Click to see the guide[/link]",
+        )
+    return offenders
diff --git a/hardeneks/config.yaml b/hardeneks/config.yaml
@@ -50,6 +50,7 @@ rules:
         - ensure_cluster_autoscaler_has_autodiscovery_mode
         - use_separate_iam_role_for_cluster_autoscaler
         - employ_least_privileged_access_cluster_autoscaler_role
+        - use_managed_nodegroups
   namespace_based:
     security: 
       iam:

diff --git a/hardeneks/report.py b/hardeneks/report.py
@@ -50,7 +50,18 @@ def print_instance_public_table(instances, message, docs):
             str(instance["Instances"][0]["PublicDnsName"]),
         )
 
-    console.print(Panel(table, title=message))
+    console.print(Panel(table, title=message, subtitle=docs))
+    console.print()
+
+
+def print_node_table(nodes, message, docs):
+    table = Table()
+
+    table.add_column("NodeName", style="cyan")
+
+    for node in nodes:
+        table.add_row(node.metadata.name)
+    console.print(Panel(table, title=message, subtitle=docs))
     console.print()