Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FEATURE: EKS Protection #61

Merged
merged 29 commits into from
Oct 23, 2024
Merged

Conversation

ryanjpayne
Copy link
Contributor

  • Add resources and documentation to support CrowdStrike EKS Protection

Copy link
Collaborator

@kkvinjam kkvinjam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a test in the .taskcat.yaml to deploy this new use case in addition to the review comments.

guide/content/images/~$eks-protect-diagram.pptx Outdated Show resolved Hide resolved
- Arn

# CodeBuild Project to deploy Falcon Operator and Sensor
EKSCodeBuild:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation: CodeBuild project should specify an EncryptionKey value
Add exemption with valid reason if the project cannot be encrypted.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

which linter does this flag apply? I do not see it in cfnlint or checkov

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but the default cmk will suffice

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is coming from cfn_nag. Could you please add an exception to avoid flagging this in future. No value for EncryptionKey defaults to the managed CMK for Amazon Simple Storage Service (Amazon S3)

templates/eks-protection-stack.yml Outdated Show resolved Hide resolved
templates/eks-protection-stack.yml Outdated Show resolved Hide resolved
templates/eks-protection-stack.yml Show resolved Hide resolved
lambda_functions/source/eks-existing-clusters/lambda.py Outdated Show resolved Hide resolved
lambda_functions/source/eks-existing-clusters/lambda.py Outdated Show resolved Hide resolved
lambda_functions/source/eks-existing-clusters/lambda.py Outdated Show resolved Hide resolved
lambda_functions/source/eks-new-clusters/lambda.py Outdated Show resolved Hide resolved
@ryanjpayne
Copy link
Contributor Author

Please add a test in the .taskcat.yaml to deploy this new use case in addition to the review comments.

Need to add taskcat ssm params:

  • FalconCID
  • EKS Protection Account (the aws accountid to launch eks protection resources)
  • Falcon Docker API Token

Retrieve Docker API Token from falcon console>cloud accounts registration>kubernetes

  1. Register new kubernetes cluster
  2. Self-managed Kubernetes service
  3. enter any cluster name
  4. click generate
  5. dockerapitoken will be in the generated config_value.yaml

@kkvinjam
Copy link
Collaborator

/do-e2e-tests

Copy link

End to end test has been scheduled

Copy link

E2E tests in progress

Copy link

@aws-ia-automator-prod aws-ia-automator-prod bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

E2E test has completed with errors. If you are an external contributor, please contact the project maintainers for more information.

@kkvinjam
Copy link
Collaborator

E2E test has completed with errors. If you are an external contributor, please contact the project maintainers for more information.

@ryanjpayne since there are no default values, required parameters from failure reason below need to be added to all tests in the .taskcat.yml file.

Failure reason:

[ERROR  ] : The following parameters have no value whatsoever. The CloudFormation stack will fail to launch. Please address. str(['FalconCID', 'DockerAPIToken', 'EventBusAccount'])

@kkvinjam
Copy link
Collaborator

/do-e2e-tests

Copy link

End to end test has been scheduled

Copy link

E2E tests in progress

Copy link

@aws-ia-automator-prod aws-ia-automator-prod bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

E2E test has completed with errors. If you are an external contributor, please contact the project maintainers for more information.

- id: CKV_AWS_109
comment: IAM PassRole action is constrained by resource ARN.
- id: CKV_AWS_111
comment: IAM PassRole action is constrained by resource ARN.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do not see iam:PassRole in this policy. What is the need for this exception?

Name: !Ref CodeBuildProjectName
ServiceRole: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${CodeBuildRoleName}
Source:
Location: !Sub '${StagingS3Bucket}/${SourceS3BucketNamePrefix}/codebuild/codebuild.zip'
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ryanjpayne This needs to be fixed to match with the new file location?

@kkvinjam
Copy link
Collaborator

/do-e2e-tests

Copy link

End to end test has been scheduled

Copy link

E2E tests in progress

Copy link

@aws-ia-automator-prod aws-ia-automator-prod bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

E2E test has completed with errors. If you are an external contributor, please contact the project maintainers for more information.

@kkvinjam
Copy link
Collaborator

/do-e2e-tests

Copy link

End to end test has been scheduled

Copy link

E2E tests in progress

Copy link

@aws-ia-automator-prod aws-ia-automator-prod bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

E2E test has completed with errors. If you are an external contributor, please contact the project maintainers for more information.

@kkvinjam
Copy link
Collaborator

/do-e2e-tests

Copy link

End to end test has been scheduled

Copy link

E2E tests in progress

Copy link

@aws-ia-automator-prod aws-ia-automator-prod bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

E2E test has completed with errors. If you are an external contributor, please contact the project maintainers for more information.

@kkvinjam
Copy link
Collaborator

/do-e2e-tests

Copy link

End to end test has been scheduled

Copy link

E2E tests in progress

Copy link

@aws-ia-automator-prod aws-ia-automator-prod bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

E2E test has completed with errors. If you are an external contributor, please contact the project maintainers for more information.

@kkvinjam
Copy link
Collaborator

/do-e2e-tests

@ryanjpayne ryanjpayne force-pushed the FEAT-0824-eksprotection branch from d951cce to ed64e7a Compare September 23, 2024 14:13
Copy link

Static analysis has failed. Please review and take action as appropriate.

Copy link

Static analysis has failed. Please review and take action as appropriate.

@kkvinjam
Copy link
Collaborator

/do-e2e-tests

Copy link

End to end test has been scheduled

Copy link

E2E tests in progress

Copy link

@aws-ia-automator-prod aws-ia-automator-prod bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

E2E test has completed with errors. If you are an external contributor, please contact the project maintainers for more information.

@kkvinjam
Copy link
Collaborator

/do-e2e-tests

Copy link

End to end test has been scheduled

Copy link

E2E tests in progress

Copy link

@aws-ia-automator-prod aws-ia-automator-prod bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

E2E test has completed with errors. If you are an external contributor, please contact the project maintainers for more information.

@kkvinjam
Copy link
Collaborator

/do-e2e-tests

Copy link

End to end test has been scheduled

Copy link

E2E tests in progress

Copy link

@aws-ia-automator-prod aws-ia-automator-prod bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

E2E tests completed successfully

@kkvinjam kkvinjam merged commit 1573fce into aws-ia:main Oct 23, 2024
4 checks passed
@ryanjpayne ryanjpayne deleted the FEAT-0824-eksprotection branch November 29, 2024 15:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants