Skip to content

feat(cel): add ValidatingPolicy for aws-node IRSA + tests #1328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

feat(cel): add ValidatingPolicy for aws-node IRSA + tests #1328

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
b089a7e
feat(cel): add ValidatingPolicy for aws-node IRSA + tests
syedazeez337 Aug 12, 2025
7ecb320
Merge branch 'main' into feat/cel-require-aws-node-irsa
realshuting Aug 15, 2025
c7d8b39
Merge branch 'main' into feat/cel-require-aws-node-irsa
JimBugwadia Aug 18, 2025
9500f96
Merge branch 'main' into feat/cel-require-aws-node-irsa
JimBugwadia Aug 18, 2025
ea6dcc1
Merge branch 'main' into feat/cel-require-aws-node-irsa
JimBugwadia Aug 18, 2025
de076d6
Merge branch 'main' into feat/cel-require-aws-node-irsa
fjogeleit Aug 19, 2025
9be0244
Merge branch 'main' into feat/cel-require-aws-node-irsa
JimBugwadia Sep 4, 2025
1824161
Merge branch 'main' into feat/cel-require-aws-node-irsa
JimBugwadia Oct 21, 2025
95f4ffd
Merge branch 'main' into feat/cel-require-aws-node-irsa
JimBugwadia Oct 21, 2025
111f93c
Merge branch 'main' into feat/cel-require-aws-node-irsa
JimBugwadia Oct 22, 2025
1c9a73d
Merge branch 'main' into feat/cel-require-aws-node-irsa
realshuting Oct 23, 2025
dcf1f7d
Merge branch 'main' into feat/cel-require-aws-node-irsa
JimBugwadia Oct 27, 2025
cfd1086
Merge branch 'main' into feat/cel-require-aws-node-irsa
JimBugwadia Oct 28, 2025
90ca6a6
Merge branch 'main' into feat/cel-require-aws-node-irsa
fjogeleit Oct 28, 2025
f2382af
Merge branch 'main' into feat/cel-require-aws-node-irsa
JimBugwadia Oct 31, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions aws-cel/require-aws-node-irsa/policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: require-aws-node-irsa
annotations:
policies.kyverno.io/title: Require aws-node DaemonSet use IRSA
policies.kyverno.io/category: AWS, EKS Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: DaemonSet
policies.kyverno.io/description: >-
Ensure the aws-node DaemonSet in kube-system does not use the "aws-node"
ServiceAccount (migrate to an IRSA-specific SA instead).
spec:
validationActions:
- Audit
matchConstraints:
resourceRules:
- apiGroups: ["apps"]
apiVersions: ["v1"]
operations: ["CREATE","UPDATE"]
resources: ["daemonsets"]
matchConditions:
- name: in-kube-system
expression: object.metadata.namespace == "kube-system"
- name: is-aws-node
expression: object.metadata.name == "aws-node"
validations:
- message: Update the aws-node DaemonSet to use IRSA (do not use "aws-node" ServiceAccount).
expression: object.spec.template.spec.serviceAccountName != "aws-node"
18 changes: 18 additions & 0 deletions aws-cel/require-aws-node-irsa/tests/fail/ds.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: aws-node
namespace: kube-system
spec:
selector:
matchLabels:
app: aws-node
template:
metadata:
labels:
app: aws-node
spec:
serviceAccountName: aws-node
containers:
- name: c
image: registry.k8s.io/pause
15 changes: 15 additions & 0 deletions aws-cel/require-aws-node-irsa/tests/fail/kyverno-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
name: require-aws-node-irsa-fail
policies:
- ../../policy.yaml
resources:
- ds.yaml
results:
- isValidatingPolicy: true
kind: DaemonSet
policy: require-aws-node-irsa
resources:
- aws-node
result: fail
18 changes: 18 additions & 0 deletions aws-cel/require-aws-node-irsa/tests/pass/ds.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: aws-node
namespace: kube-system
spec:
selector:
matchLabels:
app: aws-node
template:
metadata:
labels:
app: aws-node
spec:
serviceAccountName: aws-node-irsa
containers:
- name: c
image: registry.k8s.io/pause
15 changes: 15 additions & 0 deletions aws-cel/require-aws-node-irsa/tests/pass/kyverno-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
name: require-aws-node-irsa-pass
policies:
- ../../policy.yaml
resources:
- ds.yaml
results:
- isValidatingPolicy: true
kind: DaemonSet
policy: require-aws-node-irsa
resources:
- aws-node
result: pass
Loading