Skip to content

Commit

Permalink
Merge pull request #151 from nirmata/add-eks-plan-policies
Browse files Browse the repository at this point in the history 
feat: add `eks` best practices terraform plan policies
  • Loading branch information
@anusha94
anusha94 authored Jul 24, 2024
2 parents b63d9d3 + 602c6fb commit 1066e14
Show file tree
Hide file tree
Showing 46 changed files with 7,220 additions and 0 deletions.
75 changes: 75 additions & 0 deletions terraform/plan/eks-best-practices/check-control-plane-logging/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
# Check Control Plane Logging for Amazon EKS

Enabling Amazon EKS control plane logging for all log types is a best practice for enhancing the security, monitoring, troubleshooting, performance optimization, and operational management of your Kubernetes clusters. By capturing comprehensive logs of control plane activities, you can effectively manage and secure your EKS infrastructure while ensuring compliance with regulatory requirements and industry standards.

To enable control plane logging for all types in Amazon EKS, ensure that **enabled_cluster_log_types** includes all these types: "api", "audit", "authenticator", "controllerManager" and "scheduler". You can read more about the log types [here](https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html)

## Policy Details:

- **Policy Name:** check-control-plane-logging
- **Check Description:** Ensure Amazon EKS control plane logging is enabled for all log types
- **Policy Category:** EKS Best Practices

### Policy Validation Testing Instructions

For testing this policy you will need to:
- Make sure you have `kyverno-json` installed on the machine
- Properly authenticate with AWS

1. **Initialize Terraform:**
```bash
terraform init
```

2. **Create Binary Terraform Plan:**
```bash
terraform plan -out tfplan.binary
```

3. **Convert Binary to JSON Payload:**
```bash
terraform show -json tfplan.binary | jq > payload.json
```

4. **Test the Policy with Kyverno:**
```
kyverno-json scan --payload payload.json --policy policy.yaml
```

a. **Test Policy Against Valid Payload:**
```
kyverno-json scan --policy check-control-plane-logging.yaml --payload test/good-payload.json --bindings test/binding.yaml
```

This produces the output:
```
Loading policies ...
Loading bindings ...
- analyzer -> map[resource:map[type:terraform-plan]]
Loading payload ...
Pre processing ...
Running ( evaluating 1 resource against 1 policy ) ...
- check-control-plane-logging / check-control-plane-logging / PASSED
Done
```
b. **Test Against Invalid Payload:**
```
kyverno-json scan --policy check-control-plane-logging.yaml --payload test/bad-payload-01.json --bindings test/binding.yaml
```
This produces the output:
```
Loading policies ...
Loading bindings ...
- analyzer -> map[resource:map[type:terraform-plan]]
Loading payload ...
Pre processing ...
Running ( evaluating 1 resource against 1 policy ) ...
- check-control-plane-logging / check-control-plane-logging / FAILED
-> EKS control plane logging must be enabled for all log types
-> all[0].check.~.(planned_values.root_module.resources[?type=='aws_eks_cluster'])[0].(values.enabled_cluster_log_types[] || `[]`).(contains(@, 'api') && contains(@, 'audit') && contains(@, 'authenticator') && contains(@, 'controllerManager') && contains(@, 'scheduler')): Invalid value: false: Expected value: true
Done
```
---
29 changes: 29 additions & 0 deletions ...form/plan/eks-best-practices/check-control-plane-logging/check-control-plane-logging.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
apiVersion: json.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-control-plane-logging
annotations:
policies.kyverno.io/title: Check Control Plane Logging
policies.kyverno.io/category: EKS Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/description: >-
Enabling Amazon EKS control plane logging for all log types is a best practice
for enhancing the security, monitoring, troubleshooting, performance optimization, and operational management of your Kubernetes clusters.
By capturing comprehensive logs of control plane activities, you can effectively manage and secure your
EKS infrastructure while ensuring compliance with regulatory requirements and industry standards.
spec:
rules:
- name: check-control-plane-logging
match:
all:
- ($analyzer.resource.type): terraform-plan
- (planned_values.root_module.resources[?type=='aws_eks_cluster'] | length(@) > `0`): true
assert:
all:
- message: EKS control plane logging must be enabled for all log types
check:
~.(planned_values.root_module.resources[?type=='aws_eks_cluster']):
(values.enabled_cluster_log_types[] || `[]`):
(contains(@, 'api') && contains(@, 'audit') && contains(@, 'authenticator') && contains(@, 'controllerManager') && contains(@, 'scheduler')): true


27 changes: 27 additions & 0 deletions terraform/plan/eks-best-practices/check-control-plane-logging/test/bad-01.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.16"
}
}

required_version = ">= 1.2.0"
}

provider "aws" {
region = "us-west-2"
}

resource "aws_eks_cluster" "example" {
name = "example-cluster"
role_arn = "arn:aws:iam::123456789012:role/eks-cluster-role"

vpc_config {
subnet_ids = ["subnet-0123456789abcdef0", "subnet-0123456789abcdef1"]
}
}

output "cluster_id" {
value = aws_eks_cluster.example.id
}
29 changes: 29 additions & 0 deletions terraform/plan/eks-best-practices/check-control-plane-logging/test/bad-02.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.16"
}
}

required_version = ">= 1.2.0"
}

provider "aws" {
region = "us-west-2"
}

resource "aws_eks_cluster" "example" {
name = "example-cluster"
role_arn = "arn:aws:iam::123456789012:role/eks-cluster-role"

vpc_config {
subnet_ids = ["subnet-0123456789abcdef0", "subnet-0123456789abcdef1"]
}

enabled_cluster_log_types = ["api", "scheduler"]
}

output "cluster_id" {
value = aws_eks_cluster.example.id
}
217 changes: 217 additions & 0 deletions terraform/plan/eks-best-practices/check-control-plane-logging/test/bad-payload-01.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,217 @@
{
"format_version": "1.2",
"terraform_version": "1.8.4",
"planned_values": {
"outputs": {
"cluster_id": {
"sensitive": false
}
},
"root_module": {
"resources": [
{
"address": "aws_eks_cluster.example",
"mode": "managed",
"type": "aws_eks_cluster",
"name": "example",
"provider_name": "registry.terraform.io/hashicorp/aws",
"schema_version": 0,
"values": {
"enabled_cluster_log_types": null,
"encryption_config": [],
"name": "example-cluster",
"outpost_config": [],
"role_arn": "arn:aws:iam::123456789012:role/eks-cluster-role",
"tags": null,
"timeouts": null,
"vpc_config": [
{
"endpoint_private_access": false,
"endpoint_public_access": true,
"security_group_ids": null,
"subnet_ids": [
"subnet-0123456789abcdef0",
"subnet-0123456789abcdef1"
]
}
]
},
"sensitive_values": {
"certificate_authority": [],
"encryption_config": [],
"identity": [],
"kubernetes_network_config": [],
"outpost_config": [],
"tags_all": {},
"vpc_config": [
{
"public_access_cidrs": [],
"subnet_ids": [
false,
false
]
}
]
}
}
]
}
},
"resource_changes": [
{
"address": "aws_eks_cluster.example",
"mode": "managed",
"type": "aws_eks_cluster",
"name": "example",
"provider_name": "registry.terraform.io/hashicorp/aws",
"change": {
"actions": [
"create"
],
"before": null,
"after": {
"enabled_cluster_log_types": null,
"encryption_config": [],
"name": "example-cluster",
"outpost_config": [],
"role_arn": "arn:aws:iam::123456789012:role/eks-cluster-role",
"tags": null,
"timeouts": null,
"vpc_config": [
{
"endpoint_private_access": false,
"endpoint_public_access": true,
"security_group_ids": null,
"subnet_ids": [
"subnet-0123456789abcdef0",
"subnet-0123456789abcdef1"
]
}
]
},
"after_unknown": {
"arn": true,
"certificate_authority": true,
"cluster_id": true,
"created_at": true,
"encryption_config": [],
"endpoint": true,
"id": true,
"identity": true,
"kubernetes_network_config": true,
"outpost_config": [],
"platform_version": true,
"status": true,
"tags_all": true,
"version": true,
"vpc_config": [
{
"cluster_security_group_id": true,
"public_access_cidrs": true,
"subnet_ids": [
false,
false
],
"vpc_id": true
}
]
},
"before_sensitive": false,
"after_sensitive": {
"certificate_authority": [],
"encryption_config": [],
"identity": [],
"kubernetes_network_config": [],
"outpost_config": [],
"tags_all": {},
"vpc_config": [
{
"public_access_cidrs": [],
"subnet_ids": [
false,
false
]
}
]
}
}
}
],
"output_changes": {
"cluster_id": {
"actions": [
"create"
],
"before": null,
"after_unknown": true,
"before_sensitive": false,
"after_sensitive": false
}
},
"configuration": {
"provider_config": {
"aws": {
"name": "aws",
"full_name": "registry.terraform.io/hashicorp/aws",
"version_constraint": "~\u003e 4.16",
"expressions": {
"region": {
"constant_value": "us-west-2"
}
}
}
},
"root_module": {
"outputs": {
"cluster_id": {
"expression": {
"references": [
"aws_eks_cluster.example.id",
"aws_eks_cluster.example"
]
}
}
},
"resources": [
{
"address": "aws_eks_cluster.example",
"mode": "managed",
"type": "aws_eks_cluster",
"name": "example",
"provider_config_key": "aws",
"expressions": {
"name": {
"constant_value": "example-cluster"
},
"role_arn": {
"constant_value": "arn:aws:iam::123456789012:role/eks-cluster-role"
},
"vpc_config": [
{
"subnet_ids": {
"constant_value": [
"subnet-0123456789abcdef0",
"subnet-0123456789abcdef1"
]
}
}
]
},
"schema_version": 0
}
]
}
},
"relevant_attributes": [
{
"resource": "aws_eks_cluster.example",
"attribute": [
"id"
]
}
],
"timestamp": "2024-06-21T12:24:25Z",
"applyable": true,
"complete": true,
"errored": false
}
Loading

0 comments on commit 1066e14

Please sign in to comment.