-
Notifications
You must be signed in to change notification settings - Fork 16
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #174 from nirmata/add-eks-terraform-config-policies
feat: add `eks` best practices terraform config policies and bump chainsaw version
- Loading branch information
Showing
69 changed files
with
4,068 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
86 changes: 86 additions & 0 deletions
86
terraform/config/eks-best-practices/check-control-plane-logging/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
# Check Control Plane Logging for Amazon EKS | ||
|
||
Enabling Amazon EKS control plane logging for all log types is a best practice for enhancing the security, monitoring, troubleshooting, performance optimization, and operational management of your Kubernetes clusters. By capturing comprehensive logs of control plane activities, you can effectively manage and secure your EKS infrastructure while ensuring compliance with regulatory requirements and industry standards. | ||
|
||
To enable control plane logging for all types in Amazon EKS, ensure that **enabled_cluster_log_types** includes all these types: "api", "audit", "authenticator", "controllerManager" and "scheduler". You can read more about the log types [here](https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | ||
|
||
## Policy Details: | ||
|
||
- **Policy Name:** check-control-plane-logging | ||
- **Check Description:** Ensure Amazon EKS control plane logging is enabled for all log types | ||
- **Policy Category:** EKS Best Practices | ||
|
||
### Policy Validation Testing Instructions | ||
|
||
To evaluate and test the policy, follow the steps outlined below: | ||
|
||
For testing this policy you will need to: | ||
- Make sure you have `nctl` installed on the machine | ||
|
||
1. **Test the Policy with nctl:** | ||
``` | ||
nctl scan terraform --resources tf-config.tf --policy policy.yaml | ||
``` | ||
a. **Test Policy Against Valid Terraform Config File:** | ||
``` | ||
nctl scan terraform --resources test/good.tf --policies check-control-plane-logging.yaml --details | ||
``` | ||
This produces the output: | ||
``` | ||
Version: v4.2.2 | ||
Fetching policies... | ||
Loading policies... | ||
- found 1 policies | ||
Running analysis... | ||
• no errors | ||
Results... | ||
+--------------------+------+------+------+-------+------+ | ||
| CATEGORY | FAIL | WARN | PASS | ERROR | SKIP | | ||
+--------------------+------+------+------+-------+------+ | ||
| EKS Best Practices | 0 | 0 | 1 | 0 | 0 | | ||
+--------------------+------+------+------+-------+------+ | ||
Rule Results : (Fail: 0, Warn: 0, Pass: 1, Error: 0, Skip: 0) | ||
Failed Rules Severity : (Critical: 0, High: 0, Medium: 0, Low: 0, Info: 0) | ||
+-----------------------------+-----------------------------+--------------+---------+--------+ | ||
| POLICY | RULE | RESOURCE | MESSAGE | RESULT | | ||
+-----------------------------+-----------------------------+--------------+---------+--------+ | ||
| check-control-plane-logging | check-control-plane-logging | test/good.tf | | pass | | ||
+-----------------------------+-----------------------------+--------------+---------+--------+ | ||
Done! | ||
``` | ||
b. **Test Against Invalid Terraform Config File:** | ||
``` | ||
nctl scan terraform --resources test/bad-01.tf --policies check-control-plane-logging.yaml --details | ||
``` | ||
This produces the output: | ||
``` | ||
Version: v4.2.2 | ||
Fetching policies... | ||
Loading policies... | ||
- found 1 policies | ||
Running analysis... | ||
• no errors | ||
Results... | ||
+--------------------+------+------+------+-------+------+ | ||
| CATEGORY | FAIL | WARN | PASS | ERROR | SKIP | | ||
+--------------------+------+------+------+-------+------+ | ||
| EKS Best Practices | 1 | 0 | 0 | 0 | 0 | | ||
+--------------------+------+------+------+-------+------+ | ||
Rule Results : (Fail: 1, Warn: 0, Pass: 0, Error: 0, Skip: 0) | ||
Failed Rules Severity : (Critical: 0, High: 0, Medium: 1, Low: 0, Info: 0) | ||
+-----------------------------+-----------------------------+----------------+--------------------------------+--------+ | ||
| POLICY | RULE | RESOURCE | MESSAGE | RESULT | | ||
+-----------------------------+-----------------------------+----------------+--------------------------------+--------+ | ||
| check-control-plane-logging | check-control-plane-logging | test/bad-01.tf | EKS control plane logging must | fail | | ||
| | | | be enabled for all log types | | | ||
+-----------------------------+-----------------------------+----------------+--------------------------------+--------+ | ||
Done! 1 policy violation(s) detected. | ||
``` | ||
--- |
32 changes: 32 additions & 0 deletions
32
...rm/config/eks-best-practices/check-control-plane-logging/check-control-plane-logging.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
apiVersion: json.kyverno.io/v1alpha1 | ||
kind: ValidatingPolicy | ||
metadata: | ||
name: check-control-plane-logging | ||
annotations: | ||
policies.kyverno.io/title: Check Control Plane Logging | ||
policies.kyverno.io/category: EKS Best Practices | ||
policies.kyverno.io/severity: medium | ||
policies.kyverno.io/description: >- | ||
Enabling Amazon EKS control plane logging for all log types is a best practice | ||
for enhancing the security, monitoring, troubleshooting, performance optimization, and operational management of your Kubernetes clusters. | ||
By capturing comprehensive logs of control plane activities, you can effectively manage and secure your | ||
EKS infrastructure while ensuring compliance with regulatory requirements and industry standards. | ||
spec: | ||
rules: | ||
- name: check-control-plane-logging | ||
match: | ||
all: | ||
- ($analyzer.resource.type): terraform-config | ||
- (resource.aws_eks_cluster != null): true | ||
assert: | ||
all: | ||
- message: EKS control plane logging must be enabled for all log types | ||
check: | ||
~.(resource.aws_eks_cluster.values(@)[]): | ||
(enabled_cluster_log_types || `[]`): | ||
(contains(@, 'api')): true | ||
(contains(@, 'audit')): true | ||
(contains(@, 'authenticator')): true | ||
(contains(@, 'controllerManager')): true | ||
(contains(@, 'scheduler')): true | ||
|
27 changes: 27 additions & 0 deletions
27
terraform/config/eks-best-practices/check-control-plane-logging/test/bad-01.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
terraform { | ||
required_providers { | ||
aws = { | ||
source = "hashicorp/aws" | ||
version = "~> 4.16" | ||
} | ||
} | ||
|
||
required_version = ">= 1.2.0" | ||
} | ||
|
||
provider "aws" { | ||
region = "us-west-2" | ||
} | ||
|
||
resource "aws_eks_cluster" "example" { | ||
name = "example-cluster" | ||
role_arn = "arn:aws:iam::123456789012:role/eks-cluster-role" | ||
|
||
vpc_config { | ||
subnet_ids = ["subnet-0123456789abcdef0", "subnet-0123456789abcdef1"] | ||
} | ||
} | ||
|
||
output "cluster_id" { | ||
value = aws_eks_cluster.example.id | ||
} |
29 changes: 29 additions & 0 deletions
29
terraform/config/eks-best-practices/check-control-plane-logging/test/bad-02.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
terraform { | ||
required_providers { | ||
aws = { | ||
source = "hashicorp/aws" | ||
version = "~> 4.16" | ||
} | ||
} | ||
|
||
required_version = ">= 1.2.0" | ||
} | ||
|
||
provider "aws" { | ||
region = "us-west-2" | ||
} | ||
|
||
resource "aws_eks_cluster" "example" { | ||
name = "example-cluster" | ||
role_arn = "arn:aws:iam::123456789012:role/eks-cluster-role" | ||
|
||
vpc_config { | ||
subnet_ids = ["subnet-0123456789abcdef0", "subnet-0123456789abcdef1"] | ||
} | ||
|
||
enabled_cluster_log_types = ["api", "scheduler"] | ||
} | ||
|
||
output "cluster_id" { | ||
value = aws_eks_cluster.example.id | ||
} |
47 changes: 47 additions & 0 deletions
47
terraform/config/eks-best-practices/check-control-plane-logging/test/bad-payload-01.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
{ | ||
"output": { | ||
"cluster_id": [ | ||
{ | ||
"value": "${aws_eks_cluster.example.id}" | ||
} | ||
] | ||
}, | ||
"provider": { | ||
"aws": [ | ||
{ | ||
"region": "us-west-2" | ||
} | ||
] | ||
}, | ||
"resource": { | ||
"aws_eks_cluster": { | ||
"example": [ | ||
{ | ||
"name": "example-cluster", | ||
"role_arn": "arn:aws:iam::123456789012:role/eks-cluster-role", | ||
"vpc_config": [ | ||
{ | ||
"subnet_ids": [ | ||
"subnet-0123456789abcdef0", | ||
"subnet-0123456789abcdef1" | ||
] | ||
} | ||
] | ||
} | ||
] | ||
} | ||
}, | ||
"terraform": [ | ||
{ | ||
"required_providers": [ | ||
{ | ||
"aws": { | ||
"source": "hashicorp/aws", | ||
"version": "~\u003e 4.16" | ||
} | ||
} | ||
], | ||
"required_version": "\u003e= 1.2.0" | ||
} | ||
] | ||
} |
51 changes: 51 additions & 0 deletions
51
terraform/config/eks-best-practices/check-control-plane-logging/test/bad-payload-02.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
{ | ||
"output": { | ||
"cluster_id": [ | ||
{ | ||
"value": "${aws_eks_cluster.example.id}" | ||
} | ||
] | ||
}, | ||
"provider": { | ||
"aws": [ | ||
{ | ||
"region": "us-west-2" | ||
} | ||
] | ||
}, | ||
"resource": { | ||
"aws_eks_cluster": { | ||
"example": [ | ||
{ | ||
"enabled_cluster_log_types": [ | ||
"api", | ||
"scheduler" | ||
], | ||
"name": "example-cluster", | ||
"role_arn": "arn:aws:iam::123456789012:role/eks-cluster-role", | ||
"vpc_config": [ | ||
{ | ||
"subnet_ids": [ | ||
"subnet-0123456789abcdef0", | ||
"subnet-0123456789abcdef1" | ||
] | ||
} | ||
] | ||
} | ||
] | ||
} | ||
}, | ||
"terraform": [ | ||
{ | ||
"required_providers": [ | ||
{ | ||
"aws": { | ||
"source": "hashicorp/aws", | ||
"version": "~\u003e 4.16" | ||
} | ||
} | ||
], | ||
"required_version": "\u003e= 1.2.0" | ||
} | ||
] | ||
} |
3 changes: 3 additions & 0 deletions
3
terraform/config/eks-best-practices/check-control-plane-logging/test/binding.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
analyzer: | ||
resource: | ||
type: terraform-config |
Oops, something went wrong.