daemonset.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: node-configuration-daemonset
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-patch-installer
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - node-patch-installer
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: node-patch-installer
  namespace: node-configuration-daemonset
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: node-patch-installer
  namespace: node-configuration-daemonset
roleRef:
  kind: ClusterRole
  name: node-patch-installer
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: node-patch-installer
  namespace: node-configuration-daemonset
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: node-patch-installer
spec:
  privileged: true
  hostPID: true
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: node-patch-installer-script
  namespace: node-configuration-daemonset
data:
  install.sh: |
    #!/bin/bash

    OS_TYPE=`uname -a`
    RPM_TYPE=""
    echo "Detecting OS..."
    if [[ "$OS_TYPE" =~ "amzn1" ]]; then
        RPM_TYPE="amzn1"
        echo "OS Matched $RPM_TYPE"
    elif [[ "$OS_TYPE" =~ "amzn2" ]]; then
        RPM_TYPE="amzn2"
        echo "OS Matched $RPM_TYPE"
    else
        echo "No OS match for $OS_TYPE"
        exit 1
    fi

    PACKAGE="log4j-cve-2021-44228-hotpatch-1.1-3.$RPM_TYPE.noarch"
    FILE="/tmp/install/$PACKAGE.rpm"
    echo "Detecting RPM file: $FILE"
    if test -f "$FILE"; then
        echo "$FILE exists."
    else
        echo "ERROR: $FILE does not exist."
        exit 1
    fi

    echo "Installing $PACKAGE"
    eval "rpm -ivh $FILE"
    echo "Verifying $PACKAGE"
    OUTPUT=`eval "rpm -V $PACKAGE"`
    if [[ -z $OUTPUT ]]; then
        echo "$PACKAGE installed and verified"
    else
        echo "$PACKAGE could not be verified"
        echo "$OUTPUT"
        exit 1
    fi
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: node-patch-installer
  namespace: node-configuration-daemonset
spec:
  selector:
    matchLabels:
      job: node-patch-installer
  template:
    metadata:
      labels:
        job: node-patch-installer
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: kubernetes.io/os
                operator: In
                values:
                - linux
              - key: kubernetes.io/arch
                operator: In
                values:
                - amd64
                - arm64
              - key: eks.amazonaws.com/compute-type
                operator: NotIn
                values:
                - fargate
      hostPID: true
      restartPolicy: Always
      initContainers:
      - image: public.ecr.aws/aws-containers/kubernetes-log4j-cve-2021-44228-mitigation:v0.0.4
        name: node-patch-installer
        securityContext:
          privileged: true
        volumeMounts:
        - name: install-script
          mountPath: /tmp
        - name: tmp-install
          mountPath: /host
        imagePullPolicy: Always 
      volumes:
      - name: install-script
        configMap:
          name: node-patch-installer-script
      - name: tmp-install
        hostPath:
          path: /tmp/install
      serviceAccountName: node-patch-installer
      tolerations:
      - operator: Exists
      containers:
      - image: "public.ecr.aws/eks-distro/kubernetes/pause:3.5"
        name: pause
        securityContext:
          allowPrivilegeEscalation: false
          runAsUser: 1000
          readOnlyRootFilesystem: true
          capabilities:
            drop:
              - all