Skip to content

Commit

Permalink
feat: Add check for separate IRSA for CA
Browse files Browse the repository at this point in the history
  • Loading branch information
@dorukozturk
dorukozturk committed Feb 1, 2023
1 parent fd75131 commit c1eb9bb
Show file tree
Hide file tree
Showing 5 changed files with 1,003 additions and 0 deletions.
29 changes: 29 additions & 0 deletions hardeneks/cluster_wide/cluster_autoscaling/cluster_autoscaler.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,3 +76,32 @@ def ensure_cluster_autoscaler_has_autodiscovery_mode(resources: Resources):
break

return True


def use_separate_iam_role_for_cluster_autoscaler(resources: Resources):
deployments = client.AppsV1Api().list_deployment_for_all_namespaces().items

for deployment in deployments:
if deployment.metadata.name == "cluster-autoscaler":
service_account = (
deployment.spec.template.spec.service_account_name
)
sa_data = client.CoreV1Api().read_namespaced_service_account(
service_account, "kube-system", pretty="true"
)
if (
"eks.amazonaws.com/role-arn"
not in sa_data.metadata.annotations.keys()
):
console.print(
Panel(
"[red]Cluster-autoscaler deployment does not use a dedicated IAM Role (IRSA",
subtitle="[link=https://aws.github.io/aws-eks-best-practices/cluster-autoscaling/#employ-least-privileged-access-to-the-iam-role]Click to see the guide[/link]",
)
)
console.print()
return False
else:
break

return True
1 change: 1 addition & 0 deletions hardeneks/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ rules:
- check_any_cluster_autoscaler_exists
- ensure_cluster_autoscaler_and_cluster_versions_match
- ensure_cluster_autoscaler_has_autodiscovery_mode
- use_separate_iam_role_for_cluster_autoscaler
namespace_based:
security:
iam:
Expand Down
Loading

0 comments on commit c1eb9bb

Please sign in to comment.