From b089a7eb70c798ef770d2246b39a7947cfdc0e77 Mon Sep 17 00:00:00 2001 From: Syed Azeez Date: Tue, 12 Aug 2025 13:55:35 +0530 Subject: [PATCH] feat(cel): add ValidatingPolicy for aws-node IRSA + tests Signed-off-by: Syed Azeez --- aws-cel/require-aws-node-irsa/policy.yaml | 29 +++++++++++++++++++ .../require-aws-node-irsa/tests/fail/ds.yaml | 18 ++++++++++++ .../tests/fail/kyverno-test.yaml | 15 ++++++++++ .../require-aws-node-irsa/tests/pass/ds.yaml | 18 ++++++++++++ .../tests/pass/kyverno-test.yaml | 15 ++++++++++ 5 files changed, 95 insertions(+) create mode 100644 aws-cel/require-aws-node-irsa/policy.yaml create mode 100644 aws-cel/require-aws-node-irsa/tests/fail/ds.yaml create mode 100644 aws-cel/require-aws-node-irsa/tests/fail/kyverno-test.yaml create mode 100644 aws-cel/require-aws-node-irsa/tests/pass/ds.yaml create mode 100644 aws-cel/require-aws-node-irsa/tests/pass/kyverno-test.yaml diff --git a/aws-cel/require-aws-node-irsa/policy.yaml b/aws-cel/require-aws-node-irsa/policy.yaml new file mode 100644 index 000000000..8cd979c3c --- /dev/null +++ b/aws-cel/require-aws-node-irsa/policy.yaml @@ -0,0 +1,29 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: require-aws-node-irsa + annotations: + policies.kyverno.io/title: Require aws-node DaemonSet use IRSA + policies.kyverno.io/category: AWS, EKS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: DaemonSet + policies.kyverno.io/description: >- + Ensure the aws-node DaemonSet in kube-system does not use the "aws-node" + ServiceAccount (migrate to an IRSA-specific SA instead). +spec: + validationActions: + - Audit + matchConstraints: + resourceRules: + - apiGroups: ["apps"] + apiVersions: ["v1"] + operations: ["CREATE","UPDATE"] + resources: ["daemonsets"] + matchConditions: + - name: in-kube-system + expression: object.metadata.namespace == "kube-system" + - name: is-aws-node + expression: object.metadata.name == "aws-node" + validations: + - message: Update the aws-node DaemonSet to use IRSA (do not use "aws-node" ServiceAccount). + expression: object.spec.template.spec.serviceAccountName != "aws-node" diff --git a/aws-cel/require-aws-node-irsa/tests/fail/ds.yaml b/aws-cel/require-aws-node-irsa/tests/fail/ds.yaml new file mode 100644 index 000000000..659b6d257 --- /dev/null +++ b/aws-cel/require-aws-node-irsa/tests/fail/ds.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: aws-node + namespace: kube-system +spec: + selector: + matchLabels: + app: aws-node + template: + metadata: + labels: + app: aws-node + spec: + serviceAccountName: aws-node + containers: + - name: c + image: registry.k8s.io/pause diff --git a/aws-cel/require-aws-node-irsa/tests/fail/kyverno-test.yaml b/aws-cel/require-aws-node-irsa/tests/fail/kyverno-test.yaml new file mode 100644 index 000000000..80b0aa648 --- /dev/null +++ b/aws-cel/require-aws-node-irsa/tests/fail/kyverno-test.yaml @@ -0,0 +1,15 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-aws-node-irsa-fail +policies: + - ../../policy.yaml +resources: + - ds.yaml +results: + - isValidatingPolicy: true + kind: DaemonSet + policy: require-aws-node-irsa + resources: + - aws-node + result: fail diff --git a/aws-cel/require-aws-node-irsa/tests/pass/ds.yaml b/aws-cel/require-aws-node-irsa/tests/pass/ds.yaml new file mode 100644 index 000000000..18e93f19a --- /dev/null +++ b/aws-cel/require-aws-node-irsa/tests/pass/ds.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: aws-node + namespace: kube-system +spec: + selector: + matchLabels: + app: aws-node + template: + metadata: + labels: + app: aws-node + spec: + serviceAccountName: aws-node-irsa + containers: + - name: c + image: registry.k8s.io/pause diff --git a/aws-cel/require-aws-node-irsa/tests/pass/kyverno-test.yaml b/aws-cel/require-aws-node-irsa/tests/pass/kyverno-test.yaml new file mode 100644 index 000000000..79db90e6f --- /dev/null +++ b/aws-cel/require-aws-node-irsa/tests/pass/kyverno-test.yaml @@ -0,0 +1,15 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-aws-node-irsa-pass +policies: + - ../../policy.yaml +resources: + - ds.yaml +results: + - isValidatingPolicy: true + kind: DaemonSet + policy: require-aws-node-irsa + resources: + - aws-node + result: pass