├── .github
├── ISSUE_TEMPLATE
│ ├── correction.md
│ └── new-best-practice.md
└── PULL_REQUEST_TEMPLATE.md
├── .gitignore
├── .prettierignore
├── .vale.ini
├── CODEOWNERS
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── Config
├── LICENSE
├── LICENSE-SAMPLECODE
├── LICENSE-SUMMARY
├── README.md
├── bpg-docs.code-workspace
├── build-info.xml
├── build.xml
├── github-sync.sh
├── governance
├── model.md
├── steering.md
└── tenets.md
├── latest
└── bpg
│ ├── aiml
│ ├── aiml_compute.adoc
│ ├── aiml_index.adoc
│ ├── aiml_networking.adoc
│ ├── aiml_observability.adoc
│ ├── aiml_performance.adoc
│ ├── aiml_security.adoc
│ ├── aiml_storage.adoc
│ └── images
│ ├── attributes.txt
│ ├── autoscaling
│ ├── auto-mode.adoc
│ ├── cluster-autoscaler.adoc
│ ├── images
│ ├── index.adoc
│ └── karpenter.adoc
│ ├── book.adoc
│ ├── contribute.adoc
│ ├── cost
│ ├── awareness.adoc
│ ├── cfm_framework.adoc
│ ├── cost_opt_compute.adoc
│ ├── cost_opt_networking.adoc
│ ├── cost_opt_observability.adoc
│ ├── cost_opt_storage.adoc
│ ├── cost_optimization_index.adoc
│ ├── images
│ └── optimizing.adoc
│ ├── hybrid
│ ├── index.adoc
│ └── network-disconnections
│ │ ├── app-network-traffic.adoc
│ │ ├── best-practices.adoc
│ │ ├── host-credentials.adoc
│ │ ├── index.adoc
│ │ └── kubernetes-pod-failover.adoc
│ ├── images
│ ├── ClusterAS-HPA.png
│ ├── Compute-savings-plan.png
│ ├── Goldilocks.png
│ ├── after-results.png
│ ├── after.png
│ ├── autoscaling
│ │ ├── cas_architecture.png
│ │ ├── cas_spot_mix_instance_policy.jpg
│ │ ├── gp_nodepool.png
│ │ └── system_nodepool.png
│ ├── before-results.png
│ ├── before.png
│ ├── between_vpcs.png
│ ├── cfm_framework.png
│ ├── cluster-auto-scaler.png
│ ├── console.png
│ ├── eks-auth-flow.jpg
│ ├── eks-controlplane-costexplorer.png
│ ├── eks-fargate-costexplorer.png
│ ├── endpoint_slice.png
│ ├── external-and-internal-traffic-policy.png
│ ├── flywheel.png
│ ├── high-cardinality.png
│ ├── hybrid
│ │ └── k8s-components-pod-failover.png
│ ├── ip_mode.png
│ ├── istio-traffic-control.png
│ ├── kube-cost.png
│ ├── kube-down-scaler.png
│ ├── kube-opex-analytics.png
│ ├── kube-ops-report.png
│ ├── kube-resource-report1.png
│ ├── kube-resource-report2.png
│ ├── kube-resource-report3.png
│ ├── kubernetes-dashboard.png
│ ├── lb_2_pod.png
│ ├── local_traffic.png
│ ├── nat_gw.png
│ ├── networking
│ │ ├── cn-image-2.png
│ │ ├── cn-image-3.png
│ │ ├── cn-image.png
│ │ ├── cni_image-2.png
│ │ ├── cni_image-3.png
│ │ ├── cni_image-4.png
│ │ ├── cni_image-5.png
│ │ ├── cni_image.png
│ │ ├── image.png
│ │ ├── ipv6_Pod-to-service-ipv6.png
│ │ ├── ipv6_Pod-to-service-ipv6_old.png
│ │ ├── ipv6_eks-cluster-ipv6-foundation.png
│ │ ├── ipv6_eks-cluster-ipv6-foundation_old.png
│ │ ├── ipv6_eks-egress-ipv6.png
│ │ ├── ipv6_eks-egress-ipv6_old.png
│ │ ├── ipv6_eks-ipv4-snat-cni-internet.png
│ │ ├── ipv6_eks-ipv4-snat-cni-internet_old.png
│ │ ├── ipv6_eks-ipv4-snat-cni.png
│ │ ├── ipv6_eks-ipv4-snat-cni_old.png
│ │ ├── ipv6_eks-ipv6-foundation.png
│ │ ├── ipv6_eks-ipv6-foundation_old.png
│ │ ├── ipv6_image-2.png
│ │ ├── ipv6_image-3.png
│ │ ├── ipv6_image-4.png
│ │ ├── ipv6_image-5.png
│ │ ├── ipv6_ipv4-internet-to-eks-ipv6.png
│ │ ├── ipv6_ipv4-internet-to-eks-ipv6_old.png
│ │ ├── lb_deployments.png
│ │ ├── lb_ip.png
│ │ ├── lb_nodeport.png
│ │ ├── lb_podterminationlifecycle.png
│ │ ├── lb_readiness.png
│ │ ├── lb_statepropagation.png
│ │ ├── lb_target_type_instance.png
│ │ ├── lb_target_type_instance_old.png
│ │ ├── lb_target_type_ip.png
│ │ ├── lb_target_type_ip_old.png
│ │ ├── mon_conntrack.png
│ │ ├── mon_cw_metrics.png
│ │ ├── mon_explore_metrics.png
│ │ ├── mon_linklocal.png
│ │ ├── opt_custom-networking.gif
│ │ ├── opt_enhanced-subnet-discovery.gif
│ │ ├── opt_ipv6.gif
│ │ ├── pm_image-2.jpeg
│ │ ├── pm_image.png
│ │ ├── pm_windows-1.jpg
│ │ ├── pm_windows-2.jpg
│ │ ├── sgpp_image-2.png
│ │ ├── sgpp_image-3.png
│ │ ├── sgpp_image.png
│ │ ├── subnet_eks-shared-subnets.png
│ │ ├── subnet_image-2.jpg
│ │ ├── subnet_image.png
│ │ ├── subnet_private-nat-gw.gif
│ │ └── subnet_vpc-lattice.gif
│ ├── no_node_local_1.png
│ ├── no_node_local_2.png
│ ├── peering.png
│ ├── recommended_approach.png
│ ├── reliability-ca-asg.jpg
│ ├── reliability
│ │ ├── SRM-Fargate.jpeg
│ │ ├── SRM-MNG.jpeg
│ │ ├── eks-data-plane-connectivity.jpeg
│ │ └── pod-topology-spread-constraints.jpg
│ ├── scalability
│ │ ├── APF.jpg
│ │ ├── PLEG-duration.png
│ │ ├── api-request-duration.png
│ │ ├── bad-sweetspot.png
│ │ ├── bottlenecks.png
│ │ ├── churn-rate.png
│ │ ├── cores-1.png
│ │ ├── cores-2.png
│ │ ├── cores-3.png
│ │ ├── cpu-1.png
│ │ ├── cpu-2.png
│ │ ├── cpu-limits.png
│ │ ├── cwl-query.png
│ │ ├── defrag.png
│ │ ├── etcd-duress.png
│ │ ├── flow-addons.png
│ │ ├── flow.png
│ │ ├── hpa-utilization.png
│ │ ├── inflight-requests.png
│ │ ├── k8s-components.png
│ │ ├── keeping-up.png
│ │ ├── node-saturation.png
│ │ ├── node-size.png
│ │ ├── query-results.png
│ │ ├── queues.png
│ │ ├── requests-1.png
│ │ ├── requests-2.png
│ │ ├── requests-in-use.png
│ │ ├── scaling-ratio.png
│ │ ├── shared-concurrency.png
│ │ ├── slowest-requests.png
│ │ ├── smooth-scaling.png
│ │ ├── spiky-scaling.png
│ │ ├── stalled-io.png
│ │ ├── sweet-spot.png
│ │ ├── thread-pool.png
│ │ ├── util-vs-saturation-1.png
│ │ └── util-vs-saturation-2.png
│ ├── security
│ │ ├── SRM-AUTO.png
│ │ ├── SRM-EKS.jpg
│ │ ├── SRM-MNG.jpg
│ │ ├── allow-dns-access.jpg
│ │ ├── allow-ingress-app-one.png
│ │ ├── default-deny.jpg
│ │ ├── default-istio-csr-flow.png
│ │ ├── istio-csr-requests.png
│ │ ├── istio-csr-with-acm-private-ca.png
│ │ ├── multi-account-eks-decentralized.png
│ │ ├── multi-account-eks-shared-subnets.png
│ │ └── multi-account-eks.jpg
│ ├── slice_shell.png
│ ├── spot_diagram.png
│ ├── topo_aware_routing.png
│ ├── transititive.png
│ ├── vpc_endpoints.png
│ └── windows
│ │ ├── associated-components.png
│ │ ├── build-components.png
│ │ ├── domainless_gmsa.png
│ │ ├── dsr.png
│ │ ├── ecr-image.png
│ │ ├── images.png
│ │ ├── inspector-agent.png
│ │ ├── permissions-policies.png
│ │ ├── prom.png
│ │ ├── selected-components.png
│ │ └── windows-networking.png
│ ├── index.adoc
│ ├── networking
│ ├── custom-networking.adoc
│ ├── images
│ ├── index.adoc
│ ├── ip-optimization-strategies.adoc
│ ├── ipv6.adoc
│ ├── ipvs.adoc
│ ├── loadbalancing.adoc
│ ├── monitoring.adoc
│ ├── prefix-mode_linux.adoc
│ ├── prefix-mode_windows.adoc
│ ├── sgpp.adoc
│ ├── subnet-calc
│ │ └── subnet-calc.xlsx
│ ├── subnets.adoc
│ └── vpc-cni.adoc
│ ├── reliability
│ ├── application.adoc
│ ├── controlplane.adoc
│ ├── dataplane.adoc
│ ├── images
│ └── index.adoc
│ ├── scalability
│ ├── cluster-services.adoc
│ ├── control-plane.adoc
│ ├── data-plane.adoc
│ ├── images
│ ├── index.adoc
│ ├── kcp_monitoring.adoc
│ ├── kubernetes_slos.adoc
│ ├── node_efficiency.adoc
│ ├── quotas.adoc
│ ├── scaling_theory.adoc
│ └── workloads.adoc
│ ├── security
│ ├── automode.adoc
│ ├── cam.adoc
│ ├── compliance.adoc
│ ├── data.adoc
│ ├── detective.adoc
│ ├── hosts.adoc
│ ├── iam.adoc
│ ├── image.adoc
│ ├── images
│ ├── incidents.adoc
│ ├── index.adoc
│ ├── multiaccount.adoc
│ ├── multiaccount.adoc.backup
│ ├── multitenancy.adoc
│ ├── network.adoc
│ ├── pods.adoc
│ └── runtime.adoc
│ ├── upgrades
│ └── index.adoc
│ └── windows
│ ├── ami.adoc
│ ├── gmsa.adoc
│ ├── hardening.adoc
│ ├── hardening_container_image.adoc
│ ├── images
│ ├── images.adoc
│ ├── index.adoc
│ ├── licensing.adoc
│ ├── logging.adoc
│ ├── monitoring.adoc
│ ├── networking.adoc
│ ├── oom.adoc
│ ├── patching.adoc
│ ├── scheduling.adoc
│ ├── security.adoc
│ └── storage.adoc
├── policies
├── README.md
├── alternative-gatekeeper
│ ├── README.md
│ ├── gatekeeper-sync.yaml
│ ├── policies
│ │ ├── constraint-templates
│ │ │ ├── container_resource_ratios.yaml
│ │ │ ├── disallowed_tags.yaml
│ │ │ ├── kustomization.yaml
│ │ │ ├── psp_capabilities.yaml
│ │ │ ├── psp_host_namespaces.yaml
│ │ │ ├── psp_host_network.yaml
│ │ │ ├── psp_privilege_escalation.yaml
│ │ │ ├── psp_privileged.yaml
│ │ │ ├── psp_users.yaml
│ │ │ ├── psp_volumes.yaml
│ │ │ └── required_probes.yaml
│ │ ├── constraints
│ │ │ ├── container_resource_ratios.yaml
│ │ │ ├── disallowed_tags.yaml
│ │ │ ├── kustomization.yaml
│ │ │ ├── psp_capabilities.yaml
│ │ │ ├── psp_host_namespaces.yaml
│ │ │ ├── psp_host_network.yaml
│ │ │ ├── psp_privilege_escalation.yaml
│ │ │ ├── psp_privileged.yaml
│ │ │ ├── psp_users.yaml
│ │ │ ├── psp_volumes.yaml
│ │ │ └── required_probes.yaml
│ │ └── policies-sync.yaml
│ └── tests
│ │ ├── allowed.yaml
│ │ ├── container_resource_ratios.yaml
│ │ ├── disallowed_tags.yaml
│ │ ├── psp_capabilities.yaml
│ │ ├── psp_host_namespaces.yaml
│ │ ├── psp_host_network.yaml
│ │ ├── psp_privilege_escalation.yaml
│ │ ├── psp_privileged.yaml
│ │ ├── psp_users.yaml
│ │ ├── psp_volumes.yaml
│ │ └── required_probes.yaml
├── k8s-registry-deprecation
│ ├── README.md
│ ├── gatekeeper
│ │ ├── deprecated-registry-c.yaml
│ │ └── deprecated-registry-ct.yaml
│ ├── kyverno
│ │ └── deprecated-registry.yaml
│ └── sigstore
│ │ └── deprecated-registry.yaml
├── kyverno
│ ├── README.md
│ ├── cluster-policies
│ │ ├── 1-dep-pod-labels.yaml
│ │ ├── 2-dep-pod-sec-cont.yaml
│ │ ├── 3-dep-pod-valid-registry.yaml
│ │ ├── 4-cm-ns-roles.yaml
│ │ └── 4-dep-valid-role.yaml
│ └── test-resources
│ │ ├── 0-ns.yaml
│ │ ├── 1-ok.yaml
│ │ ├── 10-dep-sec-cont.yaml
│ │ ├── 11-dep-reg-allow.yaml
│ │ ├── 12-dep-wrong-role.yaml
│ │ ├── 13-dep-no-role.yaml
│ │ ├── 2-dep-lab.yaml
│ │ ├── 3-dep-spec-temp-meta-lab.yaml
│ │ ├── 4-dep-sec-cont.yaml
│ │ ├── 5-dep-sec-cont.yaml
│ │ ├── 6-dep-sec-cont.yaml
│ │ ├── 7-dep-sec-cont.yaml
│ │ ├── 8-dep-sec-cont.yaml
│ │ └── 9-dep-sec-cont.yaml
└── opa
│ ├── README.md
│ ├── classic
│ ├── configmaps
│ │ ├── 0-lib.yaml
│ │ ├── 1-main.yaml
│ │ ├── 10-clusterip-service-ext-ips.yaml
│ │ ├── 2-deployment-labels.yaml
│ │ ├── 3-deployment-spec-temp-labels.yaml
│ │ ├── 4-deployment-security-context.yaml
│ │ ├── 5-deployment-registry-allowed.yaml
│ │ ├── 6-deployment-ns-role-allowed.yaml
│ │ ├── 7-deployment-resources.yaml
│ │ ├── 8-deployment-latest-image-version.yaml
│ │ └── 9-clusterip-service-ext-ips.yaml
│ └── test-resources
│ │ ├── 0-ns.yaml
│ │ ├── 1-ok.yaml
│ │ ├── 10-dep-sec-cont.yaml
│ │ ├── 100-dep-all-fail.yaml
│ │ ├── 11-dep-reg-allow.yaml
│ │ ├── 12-dep-wrong-role.yaml
│ │ ├── 13-dep-no-role.yaml
│ │ ├── 14-dep-res.yaml
│ │ ├── 15-dep-res.yaml
│ │ ├── 16-dep-res.yaml
│ │ ├── 17-dep-res.yaml
│ │ ├── 18-dep-res.yaml
│ │ ├── 19-dep-res.yaml
│ │ ├── 2-dep-lab.yaml
│ │ ├── 20-dep-res.yaml
│ │ ├── 3-dep-spec-temp-meta-lab.yaml
│ │ ├── 30-dep-latest.yaml
│ │ ├── 31-dep-no-ver.yaml
│ │ ├── 4-dep-sec-cont.yaml
│ │ ├── 40-clusterip-service-ext-ips.yaml
│ │ ├── 41-clusterip-service-ext-ips.yaml
│ │ ├── 5-dep-sec-cont.yaml
│ │ ├── 6-dep-sec-cont.yaml
│ │ ├── 7-dep-sec-cont.yaml
│ │ ├── 8-dep-sec-cont.yaml
│ │ └── 9-dep-sec-cont.yaml
│ └── gatekeeper
│ ├── constraint-templates
│ ├── 1-labels-constraint-template.yaml
│ ├── 2-dep-security-context-template.yaml
│ ├── 3-dep-registry-template.yaml
│ ├── 4-dep-role-ns-template.yaml
│ ├── 5-dep-resources-template.yaml
│ ├── 6-dep-latest-version-template.yaml
│ ├── 7-svc-clusterip-ext-ips.yaml
│ └── 8-svc-clusterip-ext-ips-allowed.yaml
│ ├── constraints
│ ├── 1-dep-labels-constraint.yaml
│ ├── 2-dep-security-context-constraint.yaml
│ ├── 3-dep-allowed-registry-constraint.yaml
│ ├── 4-dep-allowed-role-ns-constraint.yaml
│ ├── 5-dep-resources-constraint.yaml
│ ├── 6-dep-latest-version-constraint.yaml
│ ├── 7-svc-clusterip-ext-ips.yaml
│ └── 8-svc-clusterip-ext-ips-allowed.yaml
│ ├── node-selector
│ ├── mutate
│ │ ├── 1-affinity-deploy.yaml
│ │ ├── 2-affinity-pod.yaml
│ │ ├── 3-toleration-deploy.yaml
│ │ └── 4-toleration-pod.yaml
│ ├── test
│ │ ├── 1-test-ns.yaml
│ │ ├── 2-test-pod.yaml
│ │ ├── 3-test-deploy.yaml
│ │ └── 4-test-deploy.yaml
│ └── validate
│ │ ├── constraint-templates
│ │ ├── 1-toleration-constraint-template-dep.yaml
│ │ ├── 2-toleration-constraint-template-pod.yaml
│ │ ├── 3-affinity-constraint-template-dep.yaml
│ │ └── 4-affinity-constraint-template-pod.yaml
│ │ └── constraints
│ │ ├── 1-dep-toleration-constraint.yaml
│ │ ├── 2-pod-toleration-constraint.yaml
│ │ ├── 3-dep-nodeaffinity-constraint.yaml
│ │ └── 4-pod-nodeaffinity-constraint.yaml
│ └── test-resources
│ ├── 0-ns.yaml
│ ├── 1-ok.yaml
│ ├── 10-dep-sec-cont.yaml
│ ├── 100-dep-all-fail.yaml
│ ├── 11-dep-reg-allow.yaml
│ ├── 12-dep-wrong-role.yaml
│ ├── 13-dep-no-role.yaml
│ ├── 14-dep-res.yaml
│ ├── 15-dep-res.yaml
│ ├── 16-dep-res.yaml
│ ├── 17-dep-res.yaml
│ ├── 18-dep-res.yaml
│ ├── 19-dep-res.yaml
│ ├── 2-dep-lab.yaml
│ ├── 20-dep-res.yaml
│ ├── 3-dep-spec-temp-meta-lab.yaml
│ ├── 30-dep-latest.yaml
│ ├── 31-dep-no-ver.yaml
│ ├── 4-dep-sec-cont.yaml
│ ├── 40-clusterip-service-ext-ips.yaml
│ ├── 41-clusterip-service-ext-ips.yaml
│ ├── 5-dep-sec-cont.yaml
│ ├── 6-dep-sec-cont.yaml
│ ├── 7-dep-sec-cont.yaml
│ ├── 8-dep-sec-cont.yaml
│ └── 9-dep-sec-cont.yaml
├── projects
├── enable-irsa
│ ├── bin
│ │ └── enable-irsa
│ └── src
│ │ ├── Dockerfile
│ │ ├── README.md
│ │ ├── main.py
│ │ └── requirements.txt
└── imds
│ ├── imds
│ ├── imds-update
│ ├── imds.go
│ ├── readme.md
│ └── update.go
└── vale
└── styles
└── BpgDocs
├── ApprovedUrls.yml
└── AwsBrand.yml
/.github/ISSUE_TEMPLATE/correction.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Correction
3 | about: Create a issue to report a problem with the documentation
4 | title: ''
5 | labels: correction
6 | assignees: ''
7 |
8 | ---
9 |
10 | **Describe the problem**
11 | A clear and concise description of what is wrong with the documentation.
12 |
13 | **References**
14 | Please include a link to the lines where the error appears.
15 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/new-best-practice.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: New best practice
3 | about: Suggest an best practice for this project
4 | title: ''
5 | labels: idea
6 | assignees: svennam
7 |
8 | ---
9 |
10 | **Is your idea request related to a problem that you've solved? Please describe.**
11 | A clear and concise description of the problem.
12 |
13 | **Describe the best practice**
14 | A clear and concise description of the best practice you developed along with any code and/or projects you used to solve the problem.
15 |
16 | **Describe alternatives you've considered**
17 | A clear and concise description of any alternative solutions or features you've considered.
18 |
19 | **Additional context**
20 | Add any other context or screenshots about the idea here.
21 |
--------------------------------------------------------------------------------
/.github/PULL_REQUEST_TEMPLATE.md:
--------------------------------------------------------------------------------
1 | *Issue #, if available:*
2 |
3 | *Description of changes:*
4 |
5 |
6 | By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
7 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 |
2 |
3 | /.vscode
4 | *.running.properties.txt
5 | *\~
6 | *.mobi
7 | /build
8 | *.DS_Store
9 | *.aws-oxygen
10 | .attach_pid*
11 | book.html
12 |
13 | # Byte-compiled / optimized / DLL files
14 | __pycache__/
15 | *.py[cod]
16 | *$py.class
17 |
18 | # C extensions
19 | *.so
20 |
21 | # Distribution / packaging
22 | .Python
23 | env/
24 | build/
25 | develop-eggs/
26 | dist/
27 | downloads/
28 | eggs/
29 | .eggs/
30 | lib/
31 | lib64/
32 | parts/
33 | sdist/
34 | var/
35 | *.egg-info/
36 | .installed.cfg
37 | *.egg
38 |
39 | # PyInstaller
40 | # Usually these files are written by a python script from a template
41 | # before PyInstaller builds the exe, so as to inject date/other infos into it.
42 | *.manifest
43 | *.spec
44 |
45 | # Installer logs
46 | pip-log.txt
47 | pip-delete-this-directory.txt
48 |
49 | # Unit test / coverage reports
50 | htmlcov/
51 | .tox/
52 | .coverage
53 | .coverage.*
54 | .cache
55 | nosetests.xml
56 | coverage.xml
57 | *,cover
58 | .hypothesis/
59 |
60 | # Translations
61 | *.mo
62 | *.pot
63 |
64 | # Scrapy stuff:
65 | .scrapy
66 |
67 | # PyBuilder
68 | target/
69 |
70 | # IPython Notebook
71 | .ipynb_checkpoints
72 |
73 | # pyenv
74 | .python-version
75 |
76 | # virtualenv
77 | venv/
78 | ENV/
79 | vale/styles/AsciiDoc/
80 | vale/styles/RedHat/
81 |
82 | # MkDocs documentation
83 | site/
84 | .DS_Store
85 |
86 | .*.swp
87 |
88 |
--------------------------------------------------------------------------------
/.prettierignore:
--------------------------------------------------------------------------------
1 | **
--------------------------------------------------------------------------------
/.vale.ini:
--------------------------------------------------------------------------------
1 | StylesPath = vale/styles
2 |
3 | Packages = RedHat, AsciiDoc
4 |
5 | # Ignore files in dirs starting with `.` to avoid raising errors for `.vale/fixtures/*/testinvalid.adoc` files
6 | [[!.]*.adoc]
7 | BasedOnStyles = RedHat, AsciiDoc, BpgDocs
8 | RedHat.GitLinks = OFF
9 | AsciiDoc.UnsetAttributes = OFF
10 | RedHat.CaseSensitiveTerms = suggestion
11 | RedHat.TermsErrors = warning
12 | RedHat.Spacing = warning
--------------------------------------------------------------------------------
/CODEOWNERS:
--------------------------------------------------------------------------------
1 | /content/cluster-autoscaling/ @aws/eks-bpg-autoscaling-wg
2 | /content/karpenter/ @aws/eks-bpg-autoscaling-wg
3 | /content/networking/ @aws/eks-bpg-networking-wg
4 | /content/operational_excellence/ @aws/eks-bpg-resiliency-wg
5 | /content/performance/ @aws/eks-bpg-autoscaling-wg
6 | /content/reliability/ @aws/eks-bpg-resiliency-wg
7 | /content/security/ @aws/eks-bpg-security-wg
8 | /content/upgrades/ @aws/eks-bpg-resiliency-wg
9 | /content/windows/ @aws/eks-bpg-windows-wg
10 |
11 | # Fallback
12 | * @aws/eks-bpg-steering-committee
13 |
--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
1 | ## Code of Conduct
2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct).
3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact
4 | opensource-codeofconduct@amazon.com with any additional questions or comments.
5 |
--------------------------------------------------------------------------------
/Config:
--------------------------------------------------------------------------------
1 | package.AmazonEKSBestPracticesDocs = {
2 | interfaces = (3.0);
3 |
4 | build-system = zonbooktrails;
5 | build-tools = {
6 | 3.0 = {
7 | ZonBookTrails = 1.0;
8 |
9 | ZonBook = 5.0;
10 | AWSEC2ContainerChecklist = 1.0;
11 | };
12 | };
13 | };
14 |
--------------------------------------------------------------------------------
/LICENSE-SAMPLECODE:
--------------------------------------------------------------------------------
1 | Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 |
3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this
4 | software and associated documentation files (the "Software"), to deal in the Software
5 | without restriction, including without limitation the rights to use, copy, modify,
6 | merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
7 | permit persons to whom the Software is furnished to do so.
8 |
9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
10 | INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
11 | PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
12 | HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
13 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
14 | SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
15 |
--------------------------------------------------------------------------------
/LICENSE-SUMMARY:
--------------------------------------------------------------------------------
1 | Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 |
3 | The documentation is made available under the Creative Commons Attribution-ShareAlike 4.0 International License. See the LICENSE file.
4 |
5 | The sample code within this documentation is made available under the MIT-0 license. See the LICENSE-SAMPLECODE file.
6 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | ## Amazon Elastic Kubernetes Service (Amazon EKS) Best Practices
2 |
3 | A best practices guide for day 2 operations, including operational excellence, security, reliability, performance efficiency, and cost optimization.
4 |
5 | This guide is now published to the official [Amazon EKS Docs platform](https://docs.aws.amazon.com/eks/latest/best-practices/introduction.html). While this repo continues to be the source, the GitHub.io page will be phased out.
6 |
7 | See [latest/bpg](latest/bpg) for the new AsciiDoc formatted files. Contribution guidelines coming soon!
8 |
9 | ## Contributing
10 |
11 | While the best practices were originally authored by AWS employees, we encourage and welcome contributions from the Kubernetes user community. If you have a best practice that you would like to share, please review the [Contributing Guidelines](https://github.com/aws/aws-eks-best-practices/blob/master/CONTRIBUTING.md) before submitting a PR.
12 |
13 | ## License Summary
14 |
15 | The documentation is made available under the Creative Commons Attribution-ShareAlike 4.0 International License. See the LICENSE file.
16 |
17 | The sample code within this documentation is made available under the MIT-0 license. See the LICENSE-SAMPLECODE file.
18 |
--------------------------------------------------------------------------------
/bpg-docs.code-workspace:
--------------------------------------------------------------------------------
1 | {
2 | "folders": [
3 | {
4 | "name": "📦 AmazonEKSBestPracticesDocs",
5 | "path": "."
6 | }
7 | ],
8 | "settings": {
9 | "files.associations": {
10 | "*.adoc": "asciidoc"
11 | },
12 | "editor.wordWrap": "wordWrapColumn",
13 | "editor.wordWrapColumn": 80,
14 | "[asciidoc]": {
15 | "editor.wordWrap": "wordWrapColumn",
16 | "editor.wordWrapColumn": 80,
17 | "editor.formatOnSave": true,
18 | "editor.tabSize": 2,
19 | "editor.insertSpaces": true,
20 | "editor.rulers": [80]
21 | },
22 | "asciidoc.preview.scrollPreviewWithEditor": true,
23 | "asciidoc.preview.scrollEditorWithPreview": true,
24 | "asciidoc.antora.enableAntoraSupport": false
25 | },
26 | "extensions": {
27 | "recommendations": [
28 | "asciidoctor.asciidoctor-vscode"
29 | ]
30 | }
31 | }
32 |
--------------------------------------------------------------------------------
/build-info.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | eks
6 | Amazon EKS
7 | 0
8 | 75a10997-4718-4741-9d4f-6dc5d580ea05
9 |
10 | 0
11 |
12 |
13 |
14 |
15 |
16 |
17 | best-practices
18 | eks-bpg
19 | Best Practices Guide
20 | eks-bpg
21 | latest
22 | latest
23 | latest/bpg
24 | en_us
25 |
26 |
27 | aws
28 | aws-eks-best-practices
29 | master
30 | latest/bpg
31 |
32 |
33 |
34 |
35 |
36 |
37 | 1
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
--------------------------------------------------------------------------------
/build.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | This is the entry point for happy trails builds (package builder and eclipse).
4 |
5 |
6 |
--------------------------------------------------------------------------------
/governance/tenets.md:
--------------------------------------------------------------------------------
1 | # Tenets
2 |
3 | ### EKS Specificity
4 |
5 | - **Focus on Amazon EKS:** Contributions must be specifically relevant to Amazon EKS, emphasizing features, configurations, and best practices unique to EKS.
6 | - **Avoid General Kubernetes Best Practices:** Unless they provide added value in the context of EKS, general Kubernetes best practices should not be the focus.
7 |
8 | ### Non-Promotional
9 |
10 | - **Objective and Unbiased:** Content should maintain objectivity, focusing on technical merit rather than promotional material.
11 | - **No Advertising:** Avoid content that serves as advertising for specific products or services, even if they are related to EKS.
12 |
13 | ### Succinct and Relevant
14 |
15 | - **To the Point:** Contributions should be concise, avoiding unnecessary detail that does not add value to the topic.
16 | - **Relevance is Key:** Ensure all content is relevant to EKS users, providing actionable insights and best practices.
17 |
18 | ### Inclusion and Collaboration
19 |
20 | - **Promote Inclusion:** Encourage contributions from a diverse range of contributors, fostering an inclusive community.
21 | - **Collaborative Spirit:** Support a culture of collaboration, where contributors work together to improve and refine content.
--------------------------------------------------------------------------------
/latest/bpg/aiml/aiml_index.adoc:
--------------------------------------------------------------------------------
1 | //!!NODE_ROOT
2 | [[aiml,aiml.title]]
3 | = AI/ML on EKS - Introduction
4 | :info_doctype: chapter
5 | :info_title: Best Practices for Running AI/ML Workloads
6 | :info_abstract: Best Practices for running AI/ML workloads on EKS
7 | :info_titleabbrev: AI/ML
8 | :imagesdir: images/
9 | :authors: ["Leah Tucker"]
10 | :date: 2025-05-30
11 |
12 | TIP: Visit https://aws-experience.com/emea/smb/events/series/get-hands-on-with-amazon-eks?trk=4a9b4147-2490-4c63-bc9f-f8a84b122c8c&sc_channel=elthis[Get Hands on with EKS] to learn about upcoming Amazon EKS AI/ML events and workshops.
13 |
14 | Implementing best practices when running AI/ML workloads on EKS can ensure that those workloads are performant, cost-effective, resilient, and properly resourced.
15 | Best practices are divided into the following general sections: Compute, Networking, Storage, Observability, and Performance.
16 |
17 | == Feedback
18 |
19 | This guide is being released on GitHub so as to collect direct feedback and suggestions from the broader EKS/Kubernetes community. If you have a best practice that you feel we ought to include in the guide, please file an issue or submit a PR in the GitHub repository. Our intention is to update the guide periodically as new features are added to the service or when a new best practice evolves.
20 |
21 | include::aiml_compute.adoc[leveloffset=+1]
22 |
23 | include::aiml_networking.adoc[leveloffset=+1]
24 |
25 | include::aiml_security.adoc[leveloffset=+1]
26 |
27 | include::aiml_storage.adoc[leveloffset=+1]
28 |
29 | include::aiml_observability.adoc[leveloffset=+1]
30 |
31 | include::aiml_performance.adoc[leveloffset=+1]
32 |
--------------------------------------------------------------------------------
/latest/bpg/aiml/images:
--------------------------------------------------------------------------------
1 | ../images
--------------------------------------------------------------------------------
/latest/bpg/attributes.txt:
--------------------------------------------------------------------------------
1 | :tcx5-waiver: pass:[ ]
2 |
--------------------------------------------------------------------------------
/latest/bpg/autoscaling/images:
--------------------------------------------------------------------------------
1 | ../images
--------------------------------------------------------------------------------
/latest/bpg/autoscaling/index.adoc:
--------------------------------------------------------------------------------
1 | //!!NODE_ROOT
2 | [[cluster-autoscaling,cluster-autoscaling.title]]
3 | = Cluster Autoscaling
4 | :doctype: book
5 | :sectnums:
6 | :toc: left
7 | :icons: font
8 | :experimental:
9 | :idprefix:
10 | :idseparator: -
11 | :sourcedir: .
12 | :info_doctype: chapter
13 | :info_title: Best Practices for Cluster Autoscaling
14 | :info_abstract: Best Practices for Cluster Autoscaling
15 | :info_titleabbrev: Cluster Autoscaling
16 | :imagesdir: images/
17 |
18 | This guide provides advice about Cluster Autoscaling, including guidance for Auto Mode, Karpenter and Kubernetes Cluster Autoscaler.
19 |
20 | [.topiclist]
21 | [[Topic List]]
22 |
23 |
24 | include::auto-mode.adoc[leveloffset=+1]
25 |
26 | include::karpenter.adoc[leveloffset=+1]
27 |
28 | include::cluster-autoscaler.adoc[leveloffset=+1]
29 |
30 |
--------------------------------------------------------------------------------
/latest/bpg/cost/images:
--------------------------------------------------------------------------------
1 | ../images
--------------------------------------------------------------------------------
/latest/bpg/hybrid/index.adoc:
--------------------------------------------------------------------------------
1 | //!!NODE_ROOT
2 | [[hybrid,hybrid.title]]
3 | = Best Practices for Hybrid Deployments
4 | :doctype: book
5 | :sectnums:
6 | :toc: left
7 | :icons: font
8 | :experimental:
9 | :idprefix:
10 | :idseparator: -
11 | :sourcedir: .
12 | :info_doctype: chapter
13 | :info_title: Best Practices for Hybrid Deployments
14 | :info_abstract: Best Practices for Hybrid Deployments
15 | :info_titleabbrev: Hybrid
16 | :imagesdir: images/hybrid/
17 |
18 | This guide provides guidance on running deployments in on-premise or edge environments with EKS Hybrid Nodes or EKS Anywhere.
19 |
20 | We currently have published guides for the following topics:
21 |
22 | - xref:hybrid-nodes-network-disconnections[Best Practices for EKS Hybrid Nodes and network disconnections]
23 |
24 | include::network-disconnections/index.adoc[leveloffset=+1]
--------------------------------------------------------------------------------
/latest/bpg/images/ClusterAS-HPA.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/ClusterAS-HPA.png
--------------------------------------------------------------------------------
/latest/bpg/images/Compute-savings-plan.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/Compute-savings-plan.png
--------------------------------------------------------------------------------
/latest/bpg/images/Goldilocks.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/Goldilocks.png
--------------------------------------------------------------------------------
/latest/bpg/images/after-results.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/after-results.png
--------------------------------------------------------------------------------
/latest/bpg/images/after.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/after.png
--------------------------------------------------------------------------------
/latest/bpg/images/autoscaling/cas_architecture.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/autoscaling/cas_architecture.png
--------------------------------------------------------------------------------
/latest/bpg/images/autoscaling/cas_spot_mix_instance_policy.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/autoscaling/cas_spot_mix_instance_policy.jpg
--------------------------------------------------------------------------------
/latest/bpg/images/autoscaling/gp_nodepool.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/autoscaling/gp_nodepool.png
--------------------------------------------------------------------------------
/latest/bpg/images/autoscaling/system_nodepool.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/autoscaling/system_nodepool.png
--------------------------------------------------------------------------------
/latest/bpg/images/before-results.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/before-results.png
--------------------------------------------------------------------------------
/latest/bpg/images/before.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/before.png
--------------------------------------------------------------------------------
/latest/bpg/images/between_vpcs.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/between_vpcs.png
--------------------------------------------------------------------------------
/latest/bpg/images/cfm_framework.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/cfm_framework.png
--------------------------------------------------------------------------------
/latest/bpg/images/cluster-auto-scaler.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/cluster-auto-scaler.png
--------------------------------------------------------------------------------
/latest/bpg/images/console.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/console.png
--------------------------------------------------------------------------------
/latest/bpg/images/eks-auth-flow.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/eks-auth-flow.jpg
--------------------------------------------------------------------------------
/latest/bpg/images/eks-controlplane-costexplorer.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/eks-controlplane-costexplorer.png
--------------------------------------------------------------------------------
/latest/bpg/images/eks-fargate-costexplorer.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/eks-fargate-costexplorer.png
--------------------------------------------------------------------------------
/latest/bpg/images/endpoint_slice.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/endpoint_slice.png
--------------------------------------------------------------------------------
/latest/bpg/images/external-and-internal-traffic-policy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/external-and-internal-traffic-policy.png
--------------------------------------------------------------------------------
/latest/bpg/images/flywheel.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/flywheel.png
--------------------------------------------------------------------------------
/latest/bpg/images/high-cardinality.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/high-cardinality.png
--------------------------------------------------------------------------------
/latest/bpg/images/hybrid/k8s-components-pod-failover.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/hybrid/k8s-components-pod-failover.png
--------------------------------------------------------------------------------
/latest/bpg/images/ip_mode.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/ip_mode.png
--------------------------------------------------------------------------------
/latest/bpg/images/istio-traffic-control.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/istio-traffic-control.png
--------------------------------------------------------------------------------
/latest/bpg/images/kube-cost.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/kube-cost.png
--------------------------------------------------------------------------------
/latest/bpg/images/kube-down-scaler.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/kube-down-scaler.png
--------------------------------------------------------------------------------
/latest/bpg/images/kube-opex-analytics.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/kube-opex-analytics.png
--------------------------------------------------------------------------------
/latest/bpg/images/kube-ops-report.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/kube-ops-report.png
--------------------------------------------------------------------------------
/latest/bpg/images/kube-resource-report1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/kube-resource-report1.png
--------------------------------------------------------------------------------
/latest/bpg/images/kube-resource-report2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/kube-resource-report2.png
--------------------------------------------------------------------------------
/latest/bpg/images/kube-resource-report3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/kube-resource-report3.png
--------------------------------------------------------------------------------
/latest/bpg/images/kubernetes-dashboard.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/kubernetes-dashboard.png
--------------------------------------------------------------------------------
/latest/bpg/images/lb_2_pod.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/lb_2_pod.png
--------------------------------------------------------------------------------
/latest/bpg/images/local_traffic.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/local_traffic.png
--------------------------------------------------------------------------------
/latest/bpg/images/nat_gw.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/nat_gw.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/cn-image-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/cn-image-2.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/cn-image-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/cn-image-3.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/cn-image.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/cn-image.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/cni_image-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/cni_image-2.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/cni_image-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/cni_image-3.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/cni_image-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/cni_image-4.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/cni_image-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/cni_image-5.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/cni_image.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/cni_image.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/image.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/image.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/ipv6_Pod-to-service-ipv6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/ipv6_Pod-to-service-ipv6.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/ipv6_Pod-to-service-ipv6_old.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/ipv6_Pod-to-service-ipv6_old.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/ipv6_eks-cluster-ipv6-foundation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/ipv6_eks-cluster-ipv6-foundation.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/ipv6_eks-cluster-ipv6-foundation_old.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/ipv6_eks-cluster-ipv6-foundation_old.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/ipv6_eks-egress-ipv6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/ipv6_eks-egress-ipv6.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/ipv6_eks-egress-ipv6_old.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/ipv6_eks-egress-ipv6_old.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/ipv6_eks-ipv4-snat-cni-internet.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/ipv6_eks-ipv4-snat-cni-internet.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/ipv6_eks-ipv4-snat-cni-internet_old.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/ipv6_eks-ipv4-snat-cni-internet_old.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/ipv6_eks-ipv4-snat-cni.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/ipv6_eks-ipv4-snat-cni.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/ipv6_eks-ipv4-snat-cni_old.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/ipv6_eks-ipv4-snat-cni_old.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/ipv6_eks-ipv6-foundation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/ipv6_eks-ipv6-foundation.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/ipv6_eks-ipv6-foundation_old.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/ipv6_eks-ipv6-foundation_old.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/ipv6_image-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/ipv6_image-2.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/ipv6_image-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/ipv6_image-3.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/ipv6_image-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/ipv6_image-4.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/ipv6_image-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/ipv6_image-5.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/ipv6_ipv4-internet-to-eks-ipv6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/ipv6_ipv4-internet-to-eks-ipv6.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/ipv6_ipv4-internet-to-eks-ipv6_old.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/ipv6_ipv4-internet-to-eks-ipv6_old.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/lb_deployments.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/lb_deployments.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/lb_ip.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/lb_ip.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/lb_nodeport.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/lb_nodeport.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/lb_podterminationlifecycle.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/lb_podterminationlifecycle.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/lb_readiness.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/lb_readiness.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/lb_statepropagation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/lb_statepropagation.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/lb_target_type_instance.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/lb_target_type_instance.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/lb_target_type_instance_old.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/lb_target_type_instance_old.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/lb_target_type_ip.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/lb_target_type_ip.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/lb_target_type_ip_old.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/lb_target_type_ip_old.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/mon_conntrack.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/mon_conntrack.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/mon_cw_metrics.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/mon_cw_metrics.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/mon_explore_metrics.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/mon_explore_metrics.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/mon_linklocal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/mon_linklocal.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/opt_custom-networking.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/opt_custom-networking.gif
--------------------------------------------------------------------------------
/latest/bpg/images/networking/opt_enhanced-subnet-discovery.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/opt_enhanced-subnet-discovery.gif
--------------------------------------------------------------------------------
/latest/bpg/images/networking/opt_ipv6.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/opt_ipv6.gif
--------------------------------------------------------------------------------
/latest/bpg/images/networking/pm_image-2.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/pm_image-2.jpeg
--------------------------------------------------------------------------------
/latest/bpg/images/networking/pm_image.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/pm_image.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/pm_windows-1.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/pm_windows-1.jpg
--------------------------------------------------------------------------------
/latest/bpg/images/networking/pm_windows-2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/pm_windows-2.jpg
--------------------------------------------------------------------------------
/latest/bpg/images/networking/sgpp_image-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/sgpp_image-2.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/sgpp_image-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/sgpp_image-3.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/sgpp_image.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/sgpp_image.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/subnet_eks-shared-subnets.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/subnet_eks-shared-subnets.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/subnet_image-2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/subnet_image-2.jpg
--------------------------------------------------------------------------------
/latest/bpg/images/networking/subnet_image.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/subnet_image.png
--------------------------------------------------------------------------------
/latest/bpg/images/networking/subnet_private-nat-gw.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/subnet_private-nat-gw.gif
--------------------------------------------------------------------------------
/latest/bpg/images/networking/subnet_vpc-lattice.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/networking/subnet_vpc-lattice.gif
--------------------------------------------------------------------------------
/latest/bpg/images/no_node_local_1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/no_node_local_1.png
--------------------------------------------------------------------------------
/latest/bpg/images/no_node_local_2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/no_node_local_2.png
--------------------------------------------------------------------------------
/latest/bpg/images/peering.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/peering.png
--------------------------------------------------------------------------------
/latest/bpg/images/recommended_approach.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/recommended_approach.png
--------------------------------------------------------------------------------
/latest/bpg/images/reliability-ca-asg.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/reliability-ca-asg.jpg
--------------------------------------------------------------------------------
/latest/bpg/images/reliability/SRM-Fargate.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/reliability/SRM-Fargate.jpeg
--------------------------------------------------------------------------------
/latest/bpg/images/reliability/SRM-MNG.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/reliability/SRM-MNG.jpeg
--------------------------------------------------------------------------------
/latest/bpg/images/reliability/eks-data-plane-connectivity.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/reliability/eks-data-plane-connectivity.jpeg
--------------------------------------------------------------------------------
/latest/bpg/images/reliability/pod-topology-spread-constraints.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/reliability/pod-topology-spread-constraints.jpg
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/APF.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/APF.jpg
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/PLEG-duration.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/PLEG-duration.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/api-request-duration.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/api-request-duration.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/bad-sweetspot.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/bad-sweetspot.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/bottlenecks.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/bottlenecks.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/churn-rate.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/churn-rate.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/cores-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/cores-1.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/cores-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/cores-2.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/cores-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/cores-3.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/cpu-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/cpu-1.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/cpu-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/cpu-2.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/cpu-limits.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/cpu-limits.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/cwl-query.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/cwl-query.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/defrag.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/defrag.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/etcd-duress.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/etcd-duress.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/flow-addons.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/flow-addons.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/flow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/flow.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/hpa-utilization.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/hpa-utilization.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/inflight-requests.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/inflight-requests.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/k8s-components.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/k8s-components.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/keeping-up.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/keeping-up.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/node-saturation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/node-saturation.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/node-size.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/node-size.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/query-results.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/query-results.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/queues.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/queues.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/requests-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/requests-1.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/requests-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/requests-2.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/requests-in-use.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/requests-in-use.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/scaling-ratio.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/scaling-ratio.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/shared-concurrency.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/shared-concurrency.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/slowest-requests.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/slowest-requests.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/smooth-scaling.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/smooth-scaling.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/spiky-scaling.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/spiky-scaling.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/stalled-io.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/stalled-io.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/sweet-spot.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/sweet-spot.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/thread-pool.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/thread-pool.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/util-vs-saturation-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/util-vs-saturation-1.png
--------------------------------------------------------------------------------
/latest/bpg/images/scalability/util-vs-saturation-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/scalability/util-vs-saturation-2.png
--------------------------------------------------------------------------------
/latest/bpg/images/security/SRM-AUTO.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/security/SRM-AUTO.png
--------------------------------------------------------------------------------
/latest/bpg/images/security/SRM-EKS.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/security/SRM-EKS.jpg
--------------------------------------------------------------------------------
/latest/bpg/images/security/SRM-MNG.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/security/SRM-MNG.jpg
--------------------------------------------------------------------------------
/latest/bpg/images/security/allow-dns-access.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/security/allow-dns-access.jpg
--------------------------------------------------------------------------------
/latest/bpg/images/security/allow-ingress-app-one.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/security/allow-ingress-app-one.png
--------------------------------------------------------------------------------
/latest/bpg/images/security/default-deny.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/security/default-deny.jpg
--------------------------------------------------------------------------------
/latest/bpg/images/security/default-istio-csr-flow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/security/default-istio-csr-flow.png
--------------------------------------------------------------------------------
/latest/bpg/images/security/istio-csr-requests.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/security/istio-csr-requests.png
--------------------------------------------------------------------------------
/latest/bpg/images/security/istio-csr-with-acm-private-ca.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/security/istio-csr-with-acm-private-ca.png
--------------------------------------------------------------------------------
/latest/bpg/images/security/multi-account-eks-decentralized.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/security/multi-account-eks-decentralized.png
--------------------------------------------------------------------------------
/latest/bpg/images/security/multi-account-eks-shared-subnets.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/security/multi-account-eks-shared-subnets.png
--------------------------------------------------------------------------------
/latest/bpg/images/security/multi-account-eks.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/security/multi-account-eks.jpg
--------------------------------------------------------------------------------
/latest/bpg/images/slice_shell.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/slice_shell.png
--------------------------------------------------------------------------------
/latest/bpg/images/spot_diagram.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/spot_diagram.png
--------------------------------------------------------------------------------
/latest/bpg/images/topo_aware_routing.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/topo_aware_routing.png
--------------------------------------------------------------------------------
/latest/bpg/images/transititive.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/transititive.png
--------------------------------------------------------------------------------
/latest/bpg/images/vpc_endpoints.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/vpc_endpoints.png
--------------------------------------------------------------------------------
/latest/bpg/images/windows/associated-components.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/windows/associated-components.png
--------------------------------------------------------------------------------
/latest/bpg/images/windows/build-components.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/windows/build-components.png
--------------------------------------------------------------------------------
/latest/bpg/images/windows/domainless_gmsa.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/windows/domainless_gmsa.png
--------------------------------------------------------------------------------
/latest/bpg/images/windows/dsr.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/windows/dsr.png
--------------------------------------------------------------------------------
/latest/bpg/images/windows/ecr-image.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/windows/ecr-image.png
--------------------------------------------------------------------------------
/latest/bpg/images/windows/images.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/windows/images.png
--------------------------------------------------------------------------------
/latest/bpg/images/windows/inspector-agent.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/windows/inspector-agent.png
--------------------------------------------------------------------------------
/latest/bpg/images/windows/permissions-policies.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/windows/permissions-policies.png
--------------------------------------------------------------------------------
/latest/bpg/images/windows/prom.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/windows/prom.png
--------------------------------------------------------------------------------
/latest/bpg/images/windows/selected-components.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/windows/selected-components.png
--------------------------------------------------------------------------------
/latest/bpg/images/windows/windows-networking.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/images/windows/windows-networking.png
--------------------------------------------------------------------------------
/latest/bpg/networking/images:
--------------------------------------------------------------------------------
1 | ../images
--------------------------------------------------------------------------------
/latest/bpg/networking/subnet-calc/subnet-calc.xlsx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/latest/bpg/networking/subnet-calc/subnet-calc.xlsx
--------------------------------------------------------------------------------
/latest/bpg/reliability/images:
--------------------------------------------------------------------------------
1 | ../images
--------------------------------------------------------------------------------
/latest/bpg/scalability/images:
--------------------------------------------------------------------------------
1 | ../images
--------------------------------------------------------------------------------
/latest/bpg/security/images:
--------------------------------------------------------------------------------
1 | ../images
--------------------------------------------------------------------------------
/latest/bpg/windows/images:
--------------------------------------------------------------------------------
1 | ../images
--------------------------------------------------------------------------------
/latest/bpg/windows/index.adoc:
--------------------------------------------------------------------------------
1 | //!!NODE_ROOT
2 | [[windows,windows.title]]
3 | = Amazon EKS Best Practices Guide for Windows
4 | :doctype: book
5 | :sectnums:
6 | :toc: left
7 | :icons: font
8 | :experimental:
9 | :idprefix:
10 | :idseparator: -
11 | :sourcedir: .
12 | :info_doctype: chapter
13 | :info_title: Best Practices for Windows
14 | :info_abstract: Best Practices for Windows
15 | :info_titleabbrev: Windows
16 | :imagesdir: images/windows/
17 |
18 | This guide provides advice about running windows containers and nodes.
19 |
20 | [.topiclist]
21 | [[Topic List]]
22 |
23 |
24 |
25 | include::ami.adoc[leveloffset=+1]
26 |
27 | include::gmsa.adoc[leveloffset=+1]
28 |
29 | include::hardening.adoc[leveloffset=+1]
30 |
31 | include::images.adoc[leveloffset=+1]
32 |
33 | include::licensing.adoc[leveloffset=+1]
34 |
35 | include::logging.adoc[leveloffset=+1]
36 |
37 | include::monitoring.adoc[leveloffset=+1]
38 |
39 | include::networking.adoc[leveloffset=+1]
40 |
41 | include::oom.adoc[leveloffset=+1]
42 |
43 | include::patching.adoc[leveloffset=+1]
44 |
45 | include::scheduling.adoc[leveloffset=+1]
46 |
47 | include::security.adoc[leveloffset=+1]
48 |
49 | include::storage.adoc[leveloffset=+1]
50 |
51 | include::hardening_container_image.adoc[leveloffset=+1]
52 |
53 |
54 |
55 |
56 |
57 |
--------------------------------------------------------------------------------
/latest/bpg/windows/licensing.adoc:
--------------------------------------------------------------------------------
1 | [."topic"]
2 | [#windows-licensing]
3 | = Windows Server version and License
4 | :info_doctype: section
5 | :info_titleabbrev: Windows Versions and Licensing
6 | :imagesdir: images/windows/
7 |
8 | == Windows Server version
9 |
10 | An Amazon EKS Optimized Windows AMI is based on Windows Server 2019 and 2022 Datacenter edition on the Long-Term Servicing Channel (LTSC). The Datacenter version doesn't have a limitation on the number of containers running on a worker node. For more information: https://docs.microsoft.com/en-us/virtualization/windowscontainers/about/faq
11 |
12 | === Long-Term Servicing Channel (LTSC)
13 |
14 | Formerly called the "Long-Term Servicing Branch", this is the release model you are already familiar with, where a new major version of Windows Server is released every 2-3 years. Users are entitled to 5 years of mainstream support and 5 years of extended support.
15 |
16 | == Licensing
17 |
18 | When launching an Amazon EC2 instance with a Windows Server-based AMI, Amazon covers licensing costs and license compliance for you.
19 |
20 |
21 |
--------------------------------------------------------------------------------
/policies/README.md:
--------------------------------------------------------------------------------
1 | This repository contains two separate examples.
2 |
3 | In the first (/kyverno and /opa) we have some example policies that are consistent between Kyverno, OPA without Gatekeeper, and OPA with Gatekeeper. These will help you see the differences on how to use these three tools.
4 |
5 | In the second (/alternative-gatekeeper) we have another documented example of Gatekeeper-only policies that include those items in the legacy [Restricted legacy PSP template](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) as well as a few more important things that were not possible with PSPs but are with Gatekeeper (requiring cpu&memory limits, requiring readiness and liveness probes and blocking the use of the latest tag). The second example is intended as one that can be deployed as-is to existing clusters and excludes the kube-system namespace by default to not conflict with many add-ons that may be deployed there.
6 |
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/gatekeeper-sync.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: source.toolkit.fluxcd.io/v1beta1
3 | kind: HelmRepository
4 | metadata:
5 | name: gatekeeper
6 | namespace: flux-system
7 | spec:
8 | interval: 1h0m0s
9 | timeout: 1m0s
10 | url: https://open-policy-agent.github.io/gatekeeper/charts
11 | ---
12 | apiVersion: helm.toolkit.fluxcd.io/v2beta1
13 | kind: HelmRelease
14 | metadata:
15 | name: gatekeeper
16 | namespace: flux-system
17 | spec:
18 | chart:
19 | spec:
20 | chart: gatekeeper
21 | sourceRef:
22 | kind: HelmRepository
23 | name: gatekeeper
24 | version: 3.6.0-beta.3
25 | install: {}
26 | interval: 1m0s
27 | targetNamespace: kube-system
28 |
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/policies/constraint-templates/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - container_resource_ratios.yaml
5 | - disallowed_tags.yaml
6 | - psp_capabilities.yaml
7 | - psp_host_namespaces.yaml
8 | - psp_host_network.yaml
9 | - psp_privilege_escalation.yaml
10 | - psp_privileged.yaml
11 | - psp_users.yaml
12 | - psp_volumes.yaml
13 | - required_probes.yaml
14 | namespace: kube-system
15 |
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/policies/constraint-templates/psp_host_namespaces.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: templates.gatekeeper.sh/v1beta1
2 | kind: ConstraintTemplate
3 | metadata:
4 | name: k8spsphostnamespace
5 | annotations:
6 | description: Controls usage of host namespaces.
7 | spec:
8 | crd:
9 | spec:
10 | names:
11 | kind: K8sPSPHostNamespace
12 | targets:
13 | - target: admission.k8s.gatekeeper.sh
14 | rego: |
15 | package k8spsphostnamespace
16 |
17 | violation[{"msg": msg, "details": {}}] {
18 | input_share_hostnamespace(input.review.object)
19 | msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name])
20 | }
21 |
22 | input_share_hostnamespace(o) {
23 | o.spec.hostPID
24 | }
25 | input_share_hostnamespace(o) {
26 | o.spec.hostIPC
27 | }
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/policies/constraint-templates/psp_privilege_escalation.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: templates.gatekeeper.sh/v1beta1
2 | kind: ConstraintTemplate
3 | metadata:
4 | name: k8spspallowprivilegeescalationcontainer
5 | annotations:
6 | description: Controls restricting escalation to root privileges.
7 | spec:
8 | crd:
9 | spec:
10 | names:
11 | kind: K8sPSPAllowPrivilegeEscalationContainer
12 | targets:
13 | - target: admission.k8s.gatekeeper.sh
14 | rego: |
15 | package k8spspallowprivilegeescalationcontainer
16 |
17 | violation[{"msg": msg, "details": {}}] {
18 | c := input_containers[_]
19 | input_allow_privilege_escalation(c)
20 | msg := sprintf("Privilege escalation container is not allowed: %v", [c.name])
21 | }
22 |
23 | input_allow_privilege_escalation(c) {
24 | not has_field(c, "securityContext")
25 | }
26 | input_allow_privilege_escalation(c) {
27 | not c.securityContext.allowPrivilegeEscalation == false
28 | }
29 | input_containers[c] {
30 | c := input.review.object.spec.containers[_]
31 | }
32 | input_containers[c] {
33 | c := input.review.object.spec.initContainers[_]
34 | }
35 | # has_field returns whether an object has a field
36 | has_field(object, field) = true {
37 | object[field]
38 | }
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/policies/constraint-templates/psp_privileged.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: templates.gatekeeper.sh/v1beta1
2 | kind: ConstraintTemplate
3 | metadata:
4 | name: k8spspprivilegedcontainer
5 | annotations:
6 | description: Controls running of privileged containers.
7 | spec:
8 | crd:
9 | spec:
10 | names:
11 | kind: K8sPSPPrivilegedContainer
12 | targets:
13 | - target: admission.k8s.gatekeeper.sh
14 | rego: |
15 | package k8spspprivileged
16 |
17 | violation[{"msg": msg, "details": {}}] {
18 | c := input_containers[_]
19 | c.securityContext.privileged
20 | msg := sprintf("Privileged container is not allowed: %v, securityContext: %v", [c.name, c.securityContext])
21 | }
22 |
23 | input_containers[c] {
24 | c := input.review.object.spec.containers[_]
25 | }
26 |
27 | input_containers[c] {
28 | c := input.review.object.spec.initContainers[_]
29 | }
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/policies/constraint-templates/psp_volumes.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: templates.gatekeeper.sh/v1beta1
2 | kind: ConstraintTemplate
3 | metadata:
4 | name: k8spspvolumetypes
5 | annotations:
6 | description: Controls usage of volume types.
7 | spec:
8 | crd:
9 | spec:
10 | names:
11 | kind: K8sPSPVolumeTypes
12 | validation:
13 | # Schema for the `parameters` field
14 | openAPIV3Schema:
15 | type: object
16 | properties:
17 | volumes:
18 | type: array
19 | items:
20 | type: string
21 | targets:
22 | - target: admission.k8s.gatekeeper.sh
23 | rego: |
24 | package k8spspvolumetypes
25 |
26 | violation[{"msg": msg, "details": {}}] {
27 | volume_fields := {x | input.review.object.spec.volumes[_][x]; x != "name"}
28 | field := volume_fields[_]
29 | not input_volume_type_allowed(field)
30 | msg := sprintf("The volume type %v is not allowed, pod: %v. Allowed volume types: %v", [field, input.review.object.metadata.name, input.parameters.volumes])
31 | }
32 |
33 | # * may be used to allow all volume types
34 | input_volume_type_allowed(field) {
35 | input.parameters.volumes[_] == "*"
36 | }
37 |
38 | input_volume_type_allowed(field) {
39 | field == input.parameters.volumes[_]
40 | }
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/policies/constraints/container_resource_ratios.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: constraints.gatekeeper.sh/v1beta1
2 | kind: K8sContainerRatios
3 | metadata:
4 | name: container-must-meet-ratio
5 | namespace: kube-system
6 | spec:
7 | match:
8 | kinds:
9 | - apiGroups: [""]
10 | kinds: ["Pod"]
11 | excludedNamespaces: ["kube-system","flux-system"]
12 | parameters:
13 | ratio: "1"
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/policies/constraints/disallowed_tags.yaml:
--------------------------------------------------------------------------------
1 |
2 | apiVersion: constraints.gatekeeper.sh/v1beta1
3 | kind: K8sDisallowedTags
4 | metadata:
5 | name: container-image-must-not-have-latest-tag
6 | namespace: kube-system
7 | spec:
8 | match:
9 | kinds:
10 | - apiGroups: [""]
11 | kinds: ["Pod"]
12 | excludedNamespaces: ["kube-system","flux-system"]
13 | parameters:
14 | tags: ["latest"]
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/policies/constraints/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - container_resource_ratios.yaml
5 | - disallowed_tags.yaml
6 | - psp_capabilities.yaml
7 | - psp_host_namespaces.yaml
8 | - psp_host_network.yaml
9 | - psp_privilege_escalation.yaml
10 | - psp_privileged.yaml
11 | - psp_users.yaml
12 | - psp_volumes.yaml
13 | - required_probes.yaml
14 | namespace: kube-system
15 |
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/policies/constraints/psp_capabilities.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: constraints.gatekeeper.sh/v1beta1
2 | kind: K8sPSPCapabilities
3 | metadata:
4 | name: capabilities
5 | namespace: kube-system
6 | spec:
7 | match:
8 | kinds:
9 | - apiGroups: [""]
10 | kinds: ["Pod"]
11 | excludedNamespaces: ["kube-system","flux-system"]
12 | parameters:
13 | requiredDropCapabilities: ["ALL"]
14 |
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/policies/constraints/psp_host_namespaces.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: constraints.gatekeeper.sh/v1beta1
2 | kind: K8sPSPHostNamespace
3 | metadata:
4 | name: psp-host-namespace
5 | namespace: kube-system
6 | spec:
7 | match:
8 | kinds:
9 | - apiGroups: [""]
10 | kinds: ["Pod"]
11 | excludedNamespaces: ["kube-system","flux-system"]
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/policies/constraints/psp_host_network.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: constraints.gatekeeper.sh/v1beta1
2 | kind: K8sPSPHostNetworkingPorts
3 | metadata:
4 | name: psp-host-network-ports
5 | namespace: kube-system
6 | spec:
7 | match:
8 | kinds:
9 | - apiGroups: [""]
10 | kinds: ["Pod"]
11 | excludedNamespaces: ["kube-system","flux-system"]
12 | parameters:
13 | hostNetwork: false
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/policies/constraints/psp_privilege_escalation.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: constraints.gatekeeper.sh/v1beta1
2 | kind: K8sPSPAllowPrivilegeEscalationContainer
3 | metadata:
4 | name: psp-allow-privilege-escalation-container
5 | spec:
6 | match:
7 | kinds:
8 | - apiGroups: [""]
9 | kinds: ["Pod"]
10 | excludedNamespaces: ["kube-system","flux-system"]
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/policies/constraints/psp_privileged.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: constraints.gatekeeper.sh/v1beta1
2 | kind: K8sPSPPrivilegedContainer
3 | metadata:
4 | name: psp-privileged-container
5 | namespace: kube-system
6 | spec:
7 | match:
8 | kinds:
9 | - apiGroups: [""]
10 | kinds: ["Pod"]
11 | excludedNamespaces: ["kube-system","flux-system"]
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/policies/constraints/psp_users.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: constraints.gatekeeper.sh/v1beta1
2 | kind: K8sPSPAllowedUsers
3 | metadata:
4 | name: psp-pods-allowed-user-ranges
5 | namespace: kube-system
6 | spec:
7 | match:
8 | kinds:
9 | - apiGroups: [""]
10 | kinds: ["Pod"]
11 | excludedNamespaces: ["kube-system","flux-system"]
12 | parameters:
13 | # The root UID and GID is 0 so ensuring it is min 1
14 | runAsUser:
15 | rule: MustRunAs
16 | ranges:
17 | - min: 1
18 | max: 65535
19 | runAsGroup:
20 | rule: MustRunAs
21 | ranges:
22 | - min: 1
23 | max: 65535
24 | supplementalGroups:
25 | rule: MustRunAs
26 | ranges:
27 | - min: 1
28 | max: 65535
29 | fsGroup:
30 | rule: MustRunAs
31 | ranges:
32 | - min: 1
33 | max: 65535
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/policies/constraints/psp_volumes.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: constraints.gatekeeper.sh/v1beta1
2 | kind: K8sPSPVolumeTypes
3 | metadata:
4 | name: psp-volume-types
5 | namespace: kube-system
6 | spec:
7 | match:
8 | kinds:
9 | - apiGroups: [""]
10 | kinds: ["Pod"]
11 | excludedNamespaces: ["kube-system","flux-system"]
12 | parameters:
13 | volumes:
14 | # Allow core volume types
15 | - configMap
16 | - emptyDir
17 | - projected
18 | - secret
19 | - downwardAPI
20 | # Assume that persistentVolumes set up by the cluster admin are safe to use
21 | - persistentVolumeClaim
22 |
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/policies/constraints/required_probes.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: constraints.gatekeeper.sh/v1beta1
2 | kind: K8sRequiredProbes
3 | metadata:
4 | name: must-have-probes
5 | namespace: kube-system
6 | spec:
7 | match:
8 | kinds:
9 | - apiGroups: [""]
10 | kinds: ["Pod"]
11 | excludedNamespaces: ["kube-system","flux-system"]
12 | parameters:
13 | probes: ["readinessProbe", "livenessProbe"]
14 | probeTypes: ["tcpSocket", "httpGet", "exec"]
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/policies/policies-sync.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
2 | kind: Kustomization
3 | metadata:
4 | name: gatekeeper-constraint-templates
5 | namespace: flux-system
6 | spec:
7 | interval: 10m0s
8 | path: ./policies/alternative-gatekeeper/policies/constraint-templates
9 | prune: true
10 | sourceRef:
11 | kind: GitRepository
12 | name: gatekeeper
13 | validation: client
14 | healthChecks:
15 | - apiVersion: helm.toolkit.fluxcd.io/v1beta1
16 | kind: HelmRelease
17 | name: gatekeeper
18 | namespace: flux-system
19 | ---
20 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
21 | kind: Kustomization
22 | metadata:
23 | name: gatekeeper-constraints
24 | namespace: flux-system
25 | spec:
26 | interval: 10m0s
27 | path: ./policies/alternative-gatekeeper/policies/constraints
28 | prune: true
29 | sourceRef:
30 | kind: GitRepository
31 | name: gatekeeper
32 | validation: client
33 | healthChecks:
34 | - apiVersion: helm.toolkit.fluxcd.io/v1beta1
35 | kind: HelmRelease
36 | name: gatekeeper
37 | namespace: flux-system
38 | dependsOn:
39 | - name: gatekeeper-constraint-templates
40 |
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/tests/allowed.yaml:
--------------------------------------------------------------------------------
1 | # This is an example of a PodSpec that passes all our default checks
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: nginx-allowed
6 | labels:
7 | app: nginx-allowed
8 | spec:
9 | securityContext:
10 | supplementalGroups:
11 | - 101
12 | fsGroup: 101
13 | containers:
14 | - name: nginx
15 | image: nginxinc/nginx-unprivileged:1.19
16 | resources:
17 | limits:
18 | cpu: 1
19 | memory: 1Gi
20 | requests:
21 | cpu: 1
22 | memory: 1Gi
23 | ports:
24 | - containerPort: 8080
25 | protocol: TCP
26 | securityContext:
27 | runAsUser: 101
28 | runAsGroup: 101
29 | capabilities:
30 | drop:
31 | - ALL
32 | allowPrivilegeEscalation: false
33 | readinessProbe:
34 | httpGet:
35 | scheme: HTTP
36 | path: /index.html
37 | port: 8080
38 | livenessProbe:
39 | httpGet:
40 | scheme: HTTP
41 | path: /index.html
42 | port: 8080
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/tests/container_resource_ratios.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-containers-resource-ratios-disallowed
5 | labels:
6 | app: nginx-containers-resource-ratios-disallowed
7 | spec:
8 | securityContext:
9 | supplementalGroups:
10 | - 101
11 | fsGroup: 101
12 | containers:
13 | - name: nginx
14 | image: nginxinc/nginx-unprivileged:1.19
15 | ports:
16 | - containerPort: 8080
17 | protocol: TCP
18 | securityContext:
19 | runAsUser: 101
20 | runAsGroup: 101
21 | capabilities:
22 | drop:
23 | - ALL
24 | allowPrivilegeEscalation: false
25 | readinessProbe:
26 | httpGet:
27 | scheme: HTTP
28 | path: /index.html
29 | port: 8080
30 | livenessProbe:
31 | httpGet:
32 | scheme: HTTP
33 | path: /index.html
34 | port: 8080
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/tests/disallowed_tags.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-tags-disallowed
5 | labels:
6 | app: nginx-tags-disallowed
7 | spec:
8 | securityContext:
9 | supplementalGroups:
10 | - 101
11 | fsGroup: 101
12 | containers:
13 | - name: nginx
14 | image: nginxinc/nginx-unprivileged:latest
15 | resources:
16 | limits:
17 | cpu: 1
18 | memory: 1Gi
19 | requests:
20 | cpu: 1
21 | memory: 1Gi
22 | ports:
23 | - containerPort: 8080
24 | protocol: TCP
25 | securityContext:
26 | runAsUser: 101
27 | runAsGroup: 101
28 | capabilities:
29 | drop:
30 | - ALL
31 | allowPrivilegeEscalation: false
32 | readinessProbe:
33 | httpGet:
34 | scheme: HTTP
35 | path: /index.html
36 | port: 8080
37 | livenessProbe:
38 | httpGet:
39 | scheme: HTTP
40 | path: /index.html
41 | port: 8080
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/tests/psp_capabilities.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-capabilities-disallowed
5 | labels:
6 | app: nginx-capabilities-disallowed
7 | spec:
8 | securityContext:
9 | supplementalGroups:
10 | - 101
11 | fsGroup: 101
12 | containers:
13 | - name: nginx
14 | image: nginxinc/nginx-unprivileged:1.19
15 | resources:
16 | limits:
17 | cpu: 1
18 | memory: 1Gi
19 | requests:
20 | cpu: 1
21 | memory: 1Gi
22 | ports:
23 | - containerPort: 8080
24 | protocol: TCP
25 | securityContext:
26 | runAsUser: 101
27 | runAsGroup: 101
28 | capabilities:
29 | add: ["NET_ADMIN", "SYS_TIME"]
30 | allowPrivilegeEscalation: false
31 | readinessProbe:
32 | httpGet:
33 | scheme: HTTP
34 | path: /index.html
35 | port: 8080
36 | livenessProbe:
37 | httpGet:
38 | scheme: HTTP
39 | path: /index.html
40 | port: 8080
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/tests/psp_host_namespaces.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-host-namespaces-disallowed
5 | labels:
6 | app: nginx-host-namespaces-disallowed
7 | spec:
8 | hostPID: true
9 | hostIPC: true
10 | securityContext:
11 | supplementalGroups:
12 | - 101
13 | fsGroup: 101
14 | containers:
15 | - name: nginx
16 | image: nginxinc/nginx-unprivileged:1.19
17 | resources:
18 | limits:
19 | cpu: 1
20 | memory: 1Gi
21 | requests:
22 | cpu: 1
23 | memory: 1Gi
24 | ports:
25 | - containerPort: 8080
26 | protocol: TCP
27 | securityContext:
28 | runAsUser: 101
29 | runAsGroup: 101
30 | capabilities:
31 | drop:
32 | - ALL
33 | allowPrivilegeEscalation: false
34 | readinessProbe:
35 | httpGet:
36 | scheme: HTTP
37 | path: /index.html
38 | port: 8080
39 | livenessProbe:
40 | httpGet:
41 | scheme: HTTP
42 | path: /index.html
43 | port: 8080
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/tests/psp_host_network.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-host-network-disallowed
5 | labels:
6 | app: nginx-host-network-disallowed
7 | spec:
8 | hostNetwork: true
9 | securityContext:
10 | supplementalGroups:
11 | - 101
12 | fsGroup: 101
13 | containers:
14 | - name: nginx
15 | image: nginxinc/nginx-unprivileged:1.19
16 | resources:
17 | limits:
18 | cpu: 1
19 | memory: 1Gi
20 | requests:
21 | cpu: 1
22 | memory: 1Gi
23 | ports:
24 | - containerPort: 8080
25 | hostPort: 8080
26 | protocol: TCP
27 | securityContext:
28 | runAsUser: 101
29 | runAsGroup: 101
30 | capabilities:
31 | drop:
32 | - ALL
33 | allowPrivilegeEscalation: false
34 | readinessProbe:
35 | httpGet:
36 | scheme: HTTP
37 | path: /index.html
38 | port: 8080
39 | livenessProbe:
40 | httpGet:
41 | scheme: HTTP
42 | path: /index.html
43 | port: 8080
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/tests/psp_privilege_escalation.yaml:
--------------------------------------------------------------------------------
1 | # This is an example of a PodSpec that passes all our default checks
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: nginx-privilege-escalation
6 | labels:
7 | app: nginx-privilege-escalation
8 | spec:
9 | securityContext:
10 | supplementalGroups:
11 | - 101
12 | fsGroup: 101
13 | containers:
14 | - name: nginx
15 | image: nginxinc/nginx-unprivileged:1.19
16 | resources:
17 | limits:
18 | cpu: 1
19 | memory: 1Gi
20 | requests:
21 | cpu: 1
22 | memory: 1Gi
23 | ports:
24 | - containerPort: 8080
25 | protocol: TCP
26 | securityContext:
27 | runAsUser: 101
28 | runAsGroup: 101
29 | capabilities:
30 | drop:
31 | - ALL
32 | allowPrivilegeEscalation: true
33 | readinessProbe:
34 | httpGet:
35 | scheme: HTTP
36 | path: /index.html
37 | port: 8080
38 | livenessProbe:
39 | httpGet:
40 | scheme: HTTP
41 | path: /index.html
42 | port: 8080
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/tests/psp_privileged.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-privileged-disallowed
5 | labels:
6 | app: nginx-privileged-disallowed
7 | spec:
8 | securityContext:
9 | supplementalGroups:
10 | - 101
11 | fsGroup: 101
12 | containers:
13 | - name: nginx
14 | image: nginxinc/nginx-unprivileged:1.19
15 | resources:
16 | limits:
17 | cpu: 1
18 | memory: 1Gi
19 | requests:
20 | cpu: 1
21 | memory: 1Gi
22 | ports:
23 | - containerPort: 8080
24 | protocol: TCP
25 | securityContext:
26 | privileged: true
27 | runAsUser: 101
28 | runAsGroup: 101
29 | capabilities:
30 | drop:
31 | - ALL
32 | readinessProbe:
33 | httpGet:
34 | scheme: HTTP
35 | path: /index.html
36 | port: 8080
37 | livenessProbe:
38 | httpGet:
39 | scheme: HTTP
40 | path: /index.html
41 | port: 8080
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/tests/psp_users.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-users-disallowed
5 | labels:
6 | app: nginx-users-disallowed
7 | spec:
8 | containers:
9 | - name: nginx
10 | image: nginxinc/nginx-unprivileged:1.19
11 | resources:
12 | limits:
13 | cpu: 1
14 | memory: 1Gi
15 | requests:
16 | cpu: 1
17 | memory: 1Gi
18 | ports:
19 | - containerPort: 8080
20 | protocol: TCP
21 | securityContext:
22 | capabilities:
23 | drop:
24 | - ALL
25 | allowPrivilegeEscalation: false
26 | readinessProbe:
27 | httpGet:
28 | scheme: HTTP
29 | path: /index.html
30 | port: 8080
31 | livenessProbe:
32 | httpGet:
33 | scheme: HTTP
34 | path: /index.html
35 | port: 8080
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/tests/psp_volumes.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-volumes-disallowed
5 | labels:
6 | app: nginx-volumes-disallowed
7 | spec:
8 | securityContext:
9 | supplementalGroups:
10 | - 101
11 | fsGroup: 101
12 | containers:
13 | - name: nginx
14 | image: nginxinc/nginx-unprivileged:1.19
15 | resources:
16 | limits:
17 | cpu: 1
18 | memory: 1Gi
19 | requests:
20 | cpu: 1
21 | memory: 1Gi
22 | ports:
23 | - containerPort: 8080
24 | protocol: TCP
25 | securityContext:
26 | runAsUser: 101
27 | runAsGroup: 101
28 | capabilities:
29 | drop:
30 | - ALL
31 | allowPrivilegeEscalation: false
32 | readinessProbe:
33 | httpGet:
34 | scheme: HTTP
35 | path: /index.html
36 | port: 8080
37 | livenessProbe:
38 | httpGet:
39 | scheme: HTTP
40 | path: /index.html
41 | port: 8080
42 | volumeMounts:
43 | - mountPath: /cache
44 | name: cache-volume
45 | volumes:
46 | - name: cache-volume
47 | hostPath:
48 | path: /tmp # directory location on host
49 | - name: demo-vol
50 | emptyDir: {}
--------------------------------------------------------------------------------
/policies/alternative-gatekeeper/tests/required_probes.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-probes-disallowed
5 | labels:
6 | app: nginx-probes-disallowed
7 | spec:
8 | securityContext:
9 | supplementalGroups:
10 | - 101
11 | fsGroup: 101
12 | containers:
13 | - name: nginx
14 | image: nginxinc/nginx-unprivileged:1.19
15 | resources:
16 | limits:
17 | cpu: 1
18 | memory: 1Gi
19 | requests:
20 | cpu: 1
21 | memory: 1Gi
22 | ports:
23 | - containerPort: 8080
24 | protocol: TCP
25 | securityContext:
26 | runAsUser: 101
27 | runAsGroup: 101
28 | capabilities:
29 | drop:
30 | - ALL
31 | allowPrivilegeEscalation: false
--------------------------------------------------------------------------------
/policies/k8s-registry-deprecation/gatekeeper/deprecated-registry-c.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: constraints.gatekeeper.sh/v1beta1
2 | kind: K8sDeprecatedRegistry
3 | metadata:
4 | name: denied-deprecated-registry
5 | labels:
6 | policy.kubernetes.amazon-eks.com/gatekeeper: constraint
7 | spec:
8 | # enforcementAction: warn
9 | match:
10 | kinds:
11 | - apiGroups: ["*"]
12 | kinds: ["Pod","Deployment","DaemonSet","Job","CronJob","StatefulSet","ReplicaSet"]
13 | # namespaces:
14 | # - "policy-test"
15 | parameters:
16 | allowedOps: ["CREATE","UPDATE"]
17 | deniedRegistries: ["k8s.gcr.io"]
18 | errMsg: "INVALID_REGISTRY"
19 |
--------------------------------------------------------------------------------
/policies/k8s-registry-deprecation/kyverno/deprecated-registry.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kyverno.io/v1
2 | kind: ClusterPolicy
3 | metadata:
4 | name: deprecated-registry
5 | annotations:
6 | policies.kyverno.io/title: Restrict Image Registries
7 | policies.kyverno.io/category: Best Practices, EKS Best Practices
8 | policies.kyverno.io/severity: medium
9 | policies.kyverno.io/minversion: 1.9.0
10 | policies.kyverno.io/subject: Pod
11 | policies.kyverno.io/description: >-
12 | Legacy k8s.gcr.io container image registry will be frozen in early April 2023
13 | k8s.gcr.io image registry will be frozen from the 3rd of April 2023.
14 | Images for Kubernetes 1.27 will not be available in the k8s.gcr.io image registry.
15 | Please read our announcement for more details.
16 | https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/
17 | spec:
18 | validationFailureAction: Enforce
19 | # validationFailureAction: Audit
20 | background: true
21 | rules:
22 | - name: deprecated-registry
23 | match:
24 | any:
25 | - resources:
26 | kinds:
27 | - Pod
28 | validate:
29 | message: "The \"k8s.gcr.io\" image registry is deprecated. \"registry.k8s.io\" should now be used."
30 | foreach:
31 | - list: "request.object.spec.[initContainers, ephemeralContainers, containers][]"
32 | deny:
33 | conditions:
34 | all:
35 | - key: "{{ element.image }}"
36 | operator: Equals
37 | value: "k8s.gcr.io/*"
38 |
--------------------------------------------------------------------------------
/policies/k8s-registry-deprecation/sigstore/deprecated-registry.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: policy.sigstore.dev/v1beta1
2 | kind: ClusterImagePolicy
3 | metadata:
4 | name: deprecated-k8s-grc-io-registry
5 | annotations:
6 | title: Deprecated registry
7 | description: Warn of a registry deprecation
8 | learnMoreLink: https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/
9 | spec:
10 | mode: enforce # For warnings, use 'mode: warn'
11 | images:
12 | - glob: "k8s.gcr.io/**"
13 | authorities:
14 | - name: k8s-deprecated
15 | static:
16 | action: pass
17 | policy:
18 | type: rego
19 | data: |
20 | package sigstore
21 | isCompliant[response] {
22 | response := {
23 | "result" : true,
24 | "error" : "",
25 | "warning" : "This repo has been deprecated: https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/"
26 | }
27 | }
28 |
29 |
--------------------------------------------------------------------------------
/policies/kyverno/README.md:
--------------------------------------------------------------------------------
1 | ## Kyverno Cluster Policies
2 |
3 | Polices written for [Kyverno](https://kyverno.io) policy management
4 |
--------------------------------------------------------------------------------
/policies/kyverno/cluster-policies/1-dep-pod-labels.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kyverno.io/v1
2 | kind: ClusterPolicy
3 | metadata:
4 | name: deployment-require-labels
5 | labels:
6 | app: kyverno
7 | owner: jimmy
8 | annotations:
9 | policies.kyverno.io/category: Compliance
10 | policies.kyverno.io/description: Rules to enforce labels on Deployment and Pod resources
11 | spec:
12 | validationFailureAction: enforce
13 | rules:
14 | - name: deployment-labels
15 | match:
16 | resources:
17 | kinds:
18 | - Deployment
19 | validate:
20 | message: "labels app, owner, env are required"
21 | pattern:
22 | metadata:
23 | labels:
24 | app: "?*"
25 | owner: "?*"
26 | env: "?*"
27 | - name: pod-labels
28 | match:
29 | resources:
30 | kinds:
31 | - Pod
32 | validate:
33 | message: "labels app, owner, env are required"
34 | pattern:
35 | metadata:
36 | labels:
37 | app: "?*"
38 | owner: "?*"
39 | env: "?*"
40 |
41 |
--------------------------------------------------------------------------------
/policies/kyverno/cluster-policies/3-dep-pod-valid-registry.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kyverno.io/v1
2 | kind: ClusterPolicy
3 | metadata:
4 | name: deployment-pod-valid-registry
5 | labels:
6 | app: kyverno
7 | owner: jimmy
8 | annotations:
9 | policies.kyverno.io/category: Compliance
10 | policies.kyverno.io/description: Rules to enforce correct image source registry
11 | spec:
12 | validationFailureAction: enforce
13 | rules:
14 | - name: validate-registries
15 | match:
16 | resources:
17 | kinds:
18 | - Pod
19 | validate:
20 | message: "Unknown image registry"
21 | pattern:
22 | spec:
23 | containers:
24 | - image: "GOOD_REGISTRY/* | VERY_GOOD_REGISTRY/*"
25 |
--------------------------------------------------------------------------------
/policies/kyverno/cluster-policies/4-cm-ns-roles.yaml:
--------------------------------------------------------------------------------
1 | kind: ConfigMap
2 | apiVersion: v1
3 | metadata:
4 | name: ns-roles-dictionary
5 | namespace: kyverno
6 | labels:
7 | app: kyverno
8 | owner: jimmy
9 | data:
10 | prod: "arn:aws:iam::123456789012:role/prod"
11 | dev: "arn:aws:iam::123456789012:role/dev"
12 | kyverno-test: "[\"arn:aws:iam::123456789012:role/test\", \"arn:aws:iam::123456789012:role/dev\"]"
13 |
--------------------------------------------------------------------------------
/policies/kyverno/cluster-policies/4-dep-valid-role.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kyverno.io/v1
2 | kind: ClusterPolicy
3 | metadata:
4 | name: deployment-valid-role
5 | labels:
6 | app: kyverno
7 | owner: jimmy
8 | annotations:
9 | policies.kyverno.io/category: Security
10 | policies.kyverno.io/description: Rules to enforce valid roles, based on namespace-role dictionary
11 | spec:
12 | validationFailureAction: enforce
13 | rules:
14 | - name: validate-role-annotation
15 | context:
16 | - name: ns-roles-dictionary
17 | configMap:
18 | name: ns-roles-dictionary
19 | namespace: kyverno
20 | match:
21 | resources:
22 | kinds:
23 | - Deployment
24 | preconditions:
25 | - key: "{{ request.object.metadata.namespace }}"
26 | operator: In
27 | value: ["prod", "dev", "kyverno-test"]
28 | - key: "{{ request.object.spec.template.metadata.annotations.\"iam.amazonaws.com/role\" }}"
29 | operator: NotEqual
30 | value: ""
31 | validate:
32 | message: "Annotation iam.amazonaws.com/role \"{{ request.object.spec.template.metadata.annotations.\"iam.amazonaws.com/role\" }}\" is not allowed for the \"{{ request.object.metadata.namespace }}\" namespace."
33 | deny:
34 | conditions:
35 | - key: "{{ request.object.spec.template.metadata.annotations.\"iam.amazonaws.com/role\" }}"
36 | operator: NotIn
37 | value: "{{ \"ns-roles-dictionary\".data.\"{{ request.object.metadata.namespace }}\" }}"
38 |
--------------------------------------------------------------------------------
/policies/kyverno/test-resources/0-ns.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: kyverno-test
5 | ---
6 | apiVersion: v1
7 | kind: Namespace
8 | metadata:
9 | name: kyverno-test1
10 |
--------------------------------------------------------------------------------
/policies/kyverno/test-resources/1-ok.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: kyverno-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | env: dev
10 | spec:
11 | selector:
12 | matchLabels:
13 | app: test
14 | replicas: 1
15 | strategy:
16 | type: RollingUpdate
17 | rollingUpdate:
18 | maxSurge: 5
19 | maxUnavailable: 1
20 | template:
21 | metadata:
22 | labels:
23 | app: test
24 | owner: jimmy
25 | env: dev
26 | annotations:
27 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
28 | spec:
29 | containers:
30 | - name: test
31 | image: GOOD_REGISTRY/read-only-container:v0.0.1
32 | imagePullPolicy: Always
33 | securityContext:
34 | allowPrivilegeEscalation: false
35 | runAsUser: 1000
36 | readOnlyRootFilesystem: true
37 | ports:
38 | - containerPort: 8080
39 | resources:
40 | limits:
41 | cpu: 200m
42 | memory: 20Mi
43 | requests:
44 | cpu: 100m
45 | memory: 10Mi
46 | readinessProbe:
47 | tcpSocket:
48 | port: 8080
49 | initialDelaySeconds: 5
50 | periodSeconds: 10
51 | livenessProbe:
52 | tcpSocket:
53 | port: 8080
54 | initialDelaySeconds: 15
55 | periodSeconds: 20
56 | volumeMounts:
57 | - mountPath: /tmp
58 | name: tmp
59 | volumes:
60 | - name: tmp
61 | emptyDir: {}
62 |
63 |
--------------------------------------------------------------------------------
/policies/kyverno/test-resources/2-dep-lab.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: kyverno-test
6 | labels:
7 | app: test
8 | # owner: jimmy
9 | env: dev
10 | spec:
11 | selector:
12 | matchLabels:
13 | app: test
14 | replicas: 1
15 | strategy:
16 | type: RollingUpdate
17 | rollingUpdate:
18 | maxSurge: 5
19 | maxUnavailable: 1
20 | template:
21 | metadata:
22 | labels:
23 | app: test
24 | owner: jimmy
25 | env: dev
26 | annotations:
27 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
28 | spec:
29 | containers:
30 | - name: test
31 | image: GOOD_REGISTRY/read-only-container:v0.0.1
32 | imagePullPolicy: Always
33 | securityContext:
34 | allowPrivilegeEscalation: false
35 | runAsUser: 1000
36 | readOnlyRootFilesystem: true
37 | ports:
38 | - containerPort: 8080
39 | resources:
40 | limits:
41 | cpu: 200m
42 | memory: 20Mi
43 | requests:
44 | cpu: 100m
45 | memory: 10Mi
46 | readinessProbe:
47 | tcpSocket:
48 | port: 8080
49 | initialDelaySeconds: 5
50 | periodSeconds: 10
51 | livenessProbe:
52 | tcpSocket:
53 | port: 8080
54 | initialDelaySeconds: 15
55 | periodSeconds: 20
56 | volumeMounts:
57 | - mountPath: /tmp
58 | name: tmp
59 | volumes:
60 | - name: tmp
61 | emptyDir: {}
62 |
63 |
--------------------------------------------------------------------------------
/policies/kyverno/test-resources/6-dep-sec-cont.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: kyverno-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | env: dev
10 | spec:
11 | selector:
12 | matchLabels:
13 | app: test
14 | replicas: 1
15 | strategy:
16 | type: RollingUpdate
17 | rollingUpdate:
18 | maxSurge: 5
19 | maxUnavailable: 1
20 | template:
21 | metadata:
22 | labels:
23 | app: test
24 | owner: jimmy
25 | env: dev
26 | annotations:
27 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
28 | spec:
29 | containers:
30 | - name: test
31 | image: GOOD_REGISTRY/read-only-container:v0.0.1
32 | imagePullPolicy: Always
33 | securityContext:
34 | allowPrivilegeEscalation: true
35 | runAsUser: 1000
36 | readOnlyRootFilesystem: true
37 | ports:
38 | - containerPort: 8080
39 | resources:
40 | limits:
41 | cpu: 200m
42 | memory: 20Mi
43 | requests:
44 | cpu: 100m
45 | memory: 10Mi
46 | readinessProbe:
47 | tcpSocket:
48 | port: 8080
49 | initialDelaySeconds: 5
50 | periodSeconds: 10
51 | livenessProbe:
52 | tcpSocket:
53 | port: 8080
54 | initialDelaySeconds: 15
55 | periodSeconds: 20
56 | volumeMounts:
57 | - mountPath: /tmp
58 | name: tmp
59 | volumes:
60 | - name: tmp
61 | emptyDir: {}
62 |
63 |
--------------------------------------------------------------------------------
/policies/kyverno/test-resources/8-dep-sec-cont.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: kyverno-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | env: dev
10 | spec:
11 | selector:
12 | matchLabels:
13 | app: test
14 | replicas: 1
15 | strategy:
16 | type: RollingUpdate
17 | rollingUpdate:
18 | maxSurge: 5
19 | maxUnavailable: 1
20 | template:
21 | metadata:
22 | labels:
23 | app: test
24 | owner: jimmy
25 | env: dev
26 | annotations:
27 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
28 | spec:
29 | containers:
30 | - name: test
31 | image: GOOD_REGISTRY/read-only-container:v0.0.1
32 | imagePullPolicy: Always
33 | securityContext:
34 | allowPrivilegeEscalation: false
35 | runAsUser: 0
36 | readOnlyRootFilesystem: true
37 | ports:
38 | - containerPort: 8080
39 | resources:
40 | limits:
41 | cpu: 200m
42 | memory: 20Mi
43 | requests:
44 | cpu: 100m
45 | memory: 10Mi
46 | readinessProbe:
47 | tcpSocket:
48 | port: 8080
49 | initialDelaySeconds: 5
50 | periodSeconds: 10
51 | livenessProbe:
52 | tcpSocket:
53 | port: 8080
54 | initialDelaySeconds: 15
55 | periodSeconds: 20
56 | volumeMounts:
57 | - mountPath: /tmp
58 | name: tmp
59 | volumes:
60 | - name: tmp
61 | emptyDir: {}
62 |
63 |
--------------------------------------------------------------------------------
/policies/opa/README.md:
--------------------------------------------------------------------------------
1 | ## Open Policy Agent (OPA) Policies
2 |
3 | Polices written for classic [OPA](https://github.com/open-policy-agent/opa) and OPA [Gatekeeper](https://github.com/open-policy-agent/gatekeeper)
4 |
--------------------------------------------------------------------------------
/policies/opa/classic/configmaps/1-main.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: opa-default-system-main
5 | namespace: opa
6 | labels:
7 | app: opa
8 | owner: jimmy
9 | openpolicyagent.org/policy: rego
10 | data:
11 | main: |
12 | package system
13 |
14 | import data.kubernetes.admission
15 |
16 | main = {
17 | "apiVersion": "admission.k8s.io/v1beta1",
18 | "kind": "AdmissionReview",
19 | "response": response,
20 | }
21 |
22 | default uid = ""
23 |
24 | uid = input.request.uid
25 |
26 | response = {
27 | "allowed": false,
28 | "uid": uid,
29 | "status": {
30 | "reason": reason,
31 | },
32 | } {
33 | reason = concat(", ", admission.deny)
34 | reason != ""
35 | }
36 | else = {"allowed": true, "uid": uid}
37 |
38 |
39 |
--------------------------------------------------------------------------------
/policies/opa/classic/configmaps/10-clusterip-service-ext-ips.yaml:
--------------------------------------------------------------------------------
1 | kind: ConfigMap
2 | apiVersion: v1
3 | metadata:
4 | name: clusterip-svc-ext-ips-allowed
5 | namespace: opa
6 | labels:
7 | app: opa
8 | owner: jimmy
9 | openpolicyagent.org/policy: rego
10 | data:
11 | main: |
12 | package kubernetes.admission
13 |
14 | import data.lib.k8s.helpers as helpers
15 |
16 | deny[msg] {
17 | helpers.request_kind = "Service"
18 | helpers.allowed_operations[helpers.request_operation]
19 | helpers.request_object.spec.type = "ClusterIP"
20 | aips := helpers.allowed_ext_ips
21 | ips := helpers.request_object.spec.externalIPs
22 | helpers.ips_allowed(aips,ips)
23 | msg = sprintf("%q: ClusterIP service external IPs are not found in the Allowed IPs list. Allowed IPs: %q, Submitted IPs: %q. Resource ID (ns/name/kind): %q", [helpers.service_error,aips,ips,helpers.request_id])
24 | }
25 |
26 |
--------------------------------------------------------------------------------
/policies/opa/classic/configmaps/2-deployment-labels.yaml:
--------------------------------------------------------------------------------
1 | kind: ConfigMap
2 | apiVersion: v1
3 | metadata:
4 | name: deployment-labels
5 | namespace: opa
6 | labels:
7 | app: opa
8 | owner: jimmy
9 | openpolicyagent.org/policy: rego
10 | data:
11 | main: |
12 | package kubernetes.admission
13 |
14 | import data.lib.k8s.helpers as helpers
15 |
16 | deny[msg] {
17 | helpers.request_kind = "Deployment"
18 | helpers.allowed_operations[helpers.request_operation]
19 | required_labels := helpers.required_deployment_labels
20 | provided_labels := {k | helpers.request_metadata_labels[k]} # use set comprehension to construct set from input
21 | missing_labels := required_labels - provided_labels # perform set difference
22 | count(missing_labels) > 0
23 |
24 | msg = sprintf("%q: %q label(s) missing. %q are required labels in the metadata element. Resource ID (ns/name/kind): %q", [helpers.deployment_error,concat(", ",missing_labels),concat(", ",required_labels),helpers.request_id])
25 | }
26 |
--------------------------------------------------------------------------------
/policies/opa/classic/configmaps/3-deployment-spec-temp-labels.yaml:
--------------------------------------------------------------------------------
1 | kind: ConfigMap
2 | apiVersion: v1
3 | metadata:
4 | name: deployment-spec-temp-labels
5 | namespace: opa
6 | labels:
7 | app: opa
8 | owner: jimmy
9 | openpolicyagent.org/policy: rego
10 | data:
11 | main: |
12 | package kubernetes.admission
13 |
14 | import data.lib.k8s.helpers as helpers
15 |
16 | deny[msg] {
17 | input.request.kind.kind = "Deployment"
18 | helpers.allowed_operations[helpers.request_operation]
19 | required_labels := helpers.required_deployment_labels
20 | provided_labels := {k | helpers.request_spec_template_metadata_labels[k]} # use set comprehension to construct set from input
21 | missing_labels := required_labels - provided_labels # perform set difference
22 | count(missing_labels) > 0
23 |
24 | msg = sprintf("%q: %q label(s) missing. %q are required labels in the spec.template.metadata.labels element. Resource ID (ns/name/kind): %q", [helpers.deployment_error,concat(", ",missing_labels),concat(", ",required_labels),helpers.request_id])
25 | }
26 |
--------------------------------------------------------------------------------
/policies/opa/classic/configmaps/5-deployment-registry-allowed.yaml:
--------------------------------------------------------------------------------
1 | kind: ConfigMap
2 | apiVersion: v1
3 | metadata:
4 | name: deployment-registry-allowed
5 | namespace: opa
6 | labels:
7 | app: opa
8 | owner: jimmy
9 | openpolicyagent.org/policy: rego
10 | data:
11 | main: |
12 | package kubernetes.admission
13 |
14 | import data.lib.k8s.helpers as helpers
15 |
16 | deny[msg] {
17 | helpers.request_kind = "Deployment"
18 | helpers.allowed_operations[helpers.request_operation]
19 | image = helpers.deployment_containers[_].image
20 | not reg_matches_any(image,valid_deployment_registries_v2)
21 | msg = sprintf("%q: %q image is not sourced from an authorized registry. Resource ID (ns/name/kind): %q", [helpers.deployment_error,image,helpers.request_id])
22 | }
23 |
24 | valid_deployment_registries_v2 = {registry |
25 | allowed = "GOOD_REGISTRY,VERY_GOOD_REGISTRY"
26 | registries = split(allowed, ",")
27 | registry = registries[_]
28 | }
29 |
30 | reg_matches_any(str, patterns) {
31 | reg_matches(str, patterns[_])
32 | }
33 |
34 | reg_matches(str, pattern) {
35 | contains(str, pattern)
36 | }
37 |
--------------------------------------------------------------------------------
/policies/opa/classic/configmaps/6-deployment-ns-role-allowed.yaml:
--------------------------------------------------------------------------------
1 | kind: ConfigMap
2 | apiVersion: v1
3 | metadata:
4 | name: deployment-allowed-role-ns
5 | namespace: opa
6 | labels:
7 | app: opa
8 | owner: jimmy
9 | openpolicyagent.org/policy: rego
10 | data:
11 | main: |
12 | package kubernetes.admission
13 |
14 | import data.lib.k8s.helpers as helpers
15 |
16 | deny[msg] {
17 | helpers.request_kind = "Deployment"
18 | helpers.allowed_operations[helpers.request_operation]
19 | role := helpers.deployment_role
20 | namespace := helpers.request_namespace
21 | not ns_roles_allowed(namespace,role)
22 | msg := sprintf("%q: %q role is not allowed for the %q namespace. Resource ID (ns/name/kind): %q", [helpers.deployment_error,role,namespace,helpers.request_id])
23 | }
24 |
25 | ns_roles_allowed(n,r) {
26 | # a dictionary mapping each namespace to a set of permitted roles for that namespace
27 | allowed := {
28 | "prod": {"arn:aws:iam::123456789012:role/prod"},
29 | "dev": {"arn:aws:iam::123456789012:role/dev","arn:aws:iam::123456789012:role/test"},
30 | "opa-test": {"arn:aws:iam::123456789012:role/test"},
31 | }
32 | allowed[n][r]
33 | }
34 |
35 |
--------------------------------------------------------------------------------
/policies/opa/classic/configmaps/8-deployment-latest-image-version.yaml:
--------------------------------------------------------------------------------
1 | kind: ConfigMap
2 | apiVersion: v1
3 | metadata:
4 | name: deployment-valid-image-version
5 | namespace: opa
6 | labels:
7 | app: opa
8 | owner: jimmy
9 | openpolicyagent.org/policy: rego
10 | data:
11 | main: |
12 | package kubernetes.admission
13 |
14 | import data.lib.k8s.helpers as helpers
15 |
16 | deny[msg] {
17 | helpers.request_kind = "Deployment"
18 | helpers.allowed_operations[helpers.request_operation]
19 | image = helpers.deployment_containers[_].image
20 | invalid_image_version(image)
21 | msg = sprintf("%q: %q container image \"latest\" tag/version is not allowed. Resource ID (ns/name/kind): %q", [helpers.deployment_error,image,helpers.request_id])
22 | }
23 |
24 | invalid_image_version(image) {
25 | not contains(image, ":")
26 | }
27 |
28 | invalid_image_version(image) {
29 | contains(image, "latest")
30 | }
31 |
--------------------------------------------------------------------------------
/policies/opa/classic/configmaps/9-clusterip-service-ext-ips.yaml:
--------------------------------------------------------------------------------
1 | kind: ConfigMap
2 | apiVersion: v1
3 | metadata:
4 | name: clusterip-svc-ext-ips
5 | namespace: opa
6 | labels:
7 | app: opa
8 | owner: jimmy
9 | openpolicyagent.org/policy: rego
10 | data:
11 | main: |
12 | package kubernetes.admission
13 |
14 | import data.lib.k8s.helpers as helpers
15 |
16 | deny[msg] {
17 | helpers.request_kind = "Service"
18 | helpers.allowed_operations[helpers.request_operation]
19 | helpers.request_object.spec.type = "ClusterIP"
20 | helpers.request_object.spec.externalIPs
21 | msg = sprintf("%q: ClusterIP service cannot specify externalIPs element. Resource ID (ns/name/kind): %q", [helpers.service_error,helpers.request_id])
22 | }
23 |
24 |
--------------------------------------------------------------------------------
/policies/opa/classic/test-resources/0-ns.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: opa-test
5 | ---
6 | apiVersion: v1
7 | kind: Namespace
8 | metadata:
9 | name: opa-test1
10 |
--------------------------------------------------------------------------------
/policies/opa/classic/test-resources/1-ok.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 1000
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/classic/test-resources/10-dep-sec-cont.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 1000
35 | readOnlyRootFilesystem: false
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/classic/test-resources/100-dep-all-fail.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | # owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | #owner: jimmy
24 | annotations:
25 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/dev
26 | spec:
27 | containers:
28 | - name: test
29 | image: read-only-container
30 | imagePullPolicy: Always
31 | #securityContext:
32 | # allowPrivilegeEscalation: false
33 | # runAsUser: 1000
34 | # readOnlyRootFilesystem: true
35 | ports:
36 | - containerPort: 8080
37 | #resources:
38 | # limits:
39 | # cpu: 200m
40 | # memory: 20Mi
41 | # requests:
42 | # cpu: 100m
43 | # memory: 10Mi
44 | readinessProbe:
45 | tcpSocket:
46 | port: 8080
47 | initialDelaySeconds: 5
48 | periodSeconds: 10
49 | livenessProbe:
50 | tcpSocket:
51 | port: 8080
52 | initialDelaySeconds: 15
53 | periodSeconds: 20
54 | volumeMounts:
55 | - mountPath: /tmp
56 | name: tmp
57 | volumes:
58 | - name: tmp
59 | emptyDir: {}
60 |
61 |
--------------------------------------------------------------------------------
/policies/opa/classic/test-resources/12-dep-wrong-role.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | annotations:
25 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/dev
26 | spec:
27 | containers:
28 | - name: test
29 | image: GOOD_REGISTRY/read-only-container:v0.0.1
30 | imagePullPolicy: Always
31 | securityContext:
32 | allowPrivilegeEscalation: false
33 | runAsUser: 1000
34 | readOnlyRootFilesystem: true
35 | ports:
36 | - containerPort: 8080
37 | resources:
38 | limits:
39 | cpu: 200m
40 | memory: 20Mi
41 | requests:
42 | cpu: 100m
43 | memory: 10Mi
44 | readinessProbe:
45 | tcpSocket:
46 | port: 8080
47 | initialDelaySeconds: 5
48 | periodSeconds: 10
49 | livenessProbe:
50 | tcpSocket:
51 | port: 8080
52 | initialDelaySeconds: 15
53 | periodSeconds: 20
54 | volumeMounts:
55 | - mountPath: /tmp
56 | name: tmp
57 | volumes:
58 | - name: tmp
59 | emptyDir: {}
60 |
61 |
--------------------------------------------------------------------------------
/policies/opa/classic/test-resources/13-dep-no-role.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | #annotations:
25 | # iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
26 | spec:
27 | containers:
28 | - name: test
29 | image: GOOD_REGISTRY/read-only-container:v0.0.1
30 | imagePullPolicy: Always
31 | securityContext:
32 | allowPrivilegeEscalation: false
33 | runAsUser: 1000
34 | readOnlyRootFilesystem: true
35 | ports:
36 | - containerPort: 8080
37 | resources:
38 | limits:
39 | cpu: 200m
40 | memory: 20Mi
41 | requests:
42 | cpu: 100m
43 | memory: 10Mi
44 | readinessProbe:
45 | tcpSocket:
46 | port: 8080
47 | initialDelaySeconds: 5
48 | periodSeconds: 10
49 | livenessProbe:
50 | tcpSocket:
51 | port: 8080
52 | initialDelaySeconds: 15
53 | periodSeconds: 20
54 | volumeMounts:
55 | - mountPath: /tmp
56 | name: tmp
57 | volumes:
58 | - name: tmp
59 | emptyDir: {}
60 |
61 |
--------------------------------------------------------------------------------
/policies/opa/classic/test-resources/14-dep-res.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 1000
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | #resources:
39 | # limits:
40 | # cpu: 200m
41 | # memory: 20Mi
42 | # requests:
43 | # cpu: 100m
44 | # memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/classic/test-resources/15-dep-res.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 1000
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | # limits:
40 | # cpu: 200m
41 | # memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/classic/test-resources/16-dep-res.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 1000
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | # cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/classic/test-resources/17-dep-res.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 1000
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | # memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/classic/test-resources/18-dep-res.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 1000
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | # requests:
43 | # cpu: 100m
44 | # memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/classic/test-resources/19-dep-res.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 1000
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | # cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/classic/test-resources/2-dep-lab.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | # owner: jimmy
9 | env: dev
10 | spec:
11 | selector:
12 | matchLabels:
13 | app: test
14 | replicas: 1
15 | strategy:
16 | type: RollingUpdate
17 | rollingUpdate:
18 | maxSurge: 5
19 | maxUnavailable: 1
20 | template:
21 | metadata:
22 | labels:
23 | app: test
24 | owner: jimmy
25 | env: dev
26 | annotations:
27 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
28 | spec:
29 | containers:
30 | - name: test
31 | image: GOOD_REGISTRY/read-only-container:v0.0.1
32 | imagePullPolicy: Always
33 | securityContext:
34 | allowPrivilegeEscalation: false
35 | runAsUser: 1000
36 | readOnlyRootFilesystem: true
37 | ports:
38 | - containerPort: 8080
39 | resources:
40 | limits:
41 | cpu: 200m
42 | memory: 20Mi
43 | requests:
44 | cpu: 100m
45 | memory: 10Mi
46 | readinessProbe:
47 | tcpSocket:
48 | port: 8080
49 | initialDelaySeconds: 5
50 | periodSeconds: 10
51 | livenessProbe:
52 | tcpSocket:
53 | port: 8080
54 | initialDelaySeconds: 15
55 | periodSeconds: 20
56 | volumeMounts:
57 | - mountPath: /tmp
58 | name: tmp
59 | volumes:
60 | - name: tmp
61 | emptyDir: {}
62 |
63 |
--------------------------------------------------------------------------------
/policies/opa/classic/test-resources/20-dep-res.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 1000
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | # memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/classic/test-resources/3-dep-spec-temp-meta-lab.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | #owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 1000
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/classic/test-resources/30-dep-latest.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:latest
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 1000
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/classic/test-resources/31-dep-no-ver.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | annotations:
25 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
26 | spec:
27 | containers:
28 | - name: test
29 | image: GOOD_REGISTRY/read-only-container
30 | imagePullPolicy: Always
31 | securityContext:
32 | allowPrivilegeEscalation: false
33 | runAsUser: 1000
34 | readOnlyRootFilesystem: true
35 | ports:
36 | - containerPort: 8080
37 | resources:
38 | limits:
39 | cpu: 200m
40 | memory: 20Mi
41 | requests:
42 | cpu: 100m
43 | memory: 10Mi
44 | readinessProbe:
45 | tcpSocket:
46 | port: 8080
47 | initialDelaySeconds: 5
48 | periodSeconds: 10
49 | livenessProbe:
50 | tcpSocket:
51 | port: 8080
52 | initialDelaySeconds: 15
53 | periodSeconds: 20
54 | volumeMounts:
55 | - mountPath: /tmp
56 | name: tmp
57 | volumes:
58 | - name: tmp
59 | emptyDir: {}
60 |
61 |
--------------------------------------------------------------------------------
/policies/opa/classic/test-resources/4-dep-sec-cont.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | # securityContext:
33 | # allowPrivilegeEscalation: false
34 | # runAsUser: 1000
35 | # readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/classic/test-resources/40-clusterip-service-ext-ips.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: hijack-dns
5 | namespace: opa-test
6 | spec:
7 | selector:
8 | app: hijack-dns-server
9 | ports:
10 | - name: dns
11 | protocol: UDP
12 | port: 53
13 | targetPort: 9053
14 | externalIPs:
15 | - 1.1.1.1
16 | - 2.2.2.2
17 | - 3.3.3.3
18 | - 4.4.4.4
--------------------------------------------------------------------------------
/policies/opa/classic/test-resources/41-clusterip-service-ext-ips.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: hijack-dns
5 | namespace: opa-test
6 | spec:
7 | selector:
8 | app: hijack-dns-server
9 | ports:
10 | - name: dns
11 | protocol: UDP
12 | port: 53
13 | targetPort: 9053
14 | externalIPs:
15 | - 8.8.8.8
16 | - 8.8.4.4
--------------------------------------------------------------------------------
/policies/opa/classic/test-resources/5-dep-sec-cont.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | # allowPrivilegeEscalation: false
34 | # runAsUser: 1000
35 | # readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/classic/test-resources/6-dep-sec-cont.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: true
34 | runAsUser: 1000
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/classic/test-resources/7-dep-sec-cont.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | # runAsUser: 1000
35 | # readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/classic/test-resources/8-dep-sec-cont.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 0
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/classic/test-resources/9-dep-sec-cont.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 1000
35 | # readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/constraints/1-dep-labels-constraint.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: constraints.gatekeeper.sh/v1beta1
2 | kind: K8sRequiredLabels
3 | metadata:
4 | name: deployment-labels
5 | spec:
6 | match:
7 | kinds:
8 | - apiGroups: ["*"]
9 | kinds: ["Deployment"]
10 | namespaces:
11 | - "opa-test"
12 | parameters:
13 | allowedOps: ["CREATE","UPDATE"]
14 | labels: ["app","owner"]
15 | specTemplateLabels: ["app","env","owner"]
16 | errMsg: "INVALID_DEPLOYMENT_LABELS"
17 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/constraints/2-dep-security-context-constraint.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: constraints.gatekeeper.sh/v1beta1
2 | kind: K8sDepSecurityContext
3 | metadata:
4 | name: deployment-security-context
5 | spec:
6 | match:
7 | kinds:
8 | - apiGroups: ["*"]
9 | kinds: ["Deployment"]
10 | namespaces:
11 | - "opa-test"
12 | parameters:
13 | allowedOps: ["CREATE","UPDATE"]
14 | errMsg: "INVALID_DEPLOYMENT_SECURITY_CONTEXT"
15 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/constraints/3-dep-allowed-registry-constraint.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: constraints.gatekeeper.sh/v1beta1
2 | kind: K8sDepRegistry
3 | metadata:
4 | name: deployment-allowed-registry
5 | spec:
6 | match:
7 | kinds:
8 | - apiGroups: ["*"]
9 | kinds: ["Deployment"]
10 | namespaces:
11 | - "opa-test"
12 | parameters:
13 | allowedOps: ["CREATE","UPDATE"]
14 | allowedRegistries: ["GOOD_REGISTRY","VERY_GOOD_REGISTRY"]
15 | errMsg: "INVALID_DEPLOYMENT_REGISTRY"
16 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/constraints/4-dep-allowed-role-ns-constraint.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: constraints.gatekeeper.sh/v1beta1
2 | kind: K8sDepRoleNs
3 | metadata:
4 | name: deployment-allowed-role-ns
5 | spec:
6 | match:
7 | kinds:
8 | - apiGroups: ["*"]
9 | kinds: ["Deployment"]
10 | namespaces:
11 | - "opa-test"
12 | parameters:
13 | allowedOps: ["CREATE","UPDATE"]
14 | errMsg: "INVALID_DEPLOYMENT_ROLE"
15 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/constraints/5-dep-resources-constraint.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: constraints.gatekeeper.sh/v1beta1
2 | kind: K8sDepResources
3 | metadata:
4 | name: deployment-resources
5 | spec:
6 | match:
7 | kinds:
8 | - apiGroups: ["*"]
9 | kinds: ["Deployment"]
10 | namespaces:
11 | - "opa-test"
12 | parameters:
13 | allowedOps: ["CREATE","UPDATE"]
14 | errMsg: "INVALID_DEPLOYMENT_RESOURCES"
15 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/constraints/6-dep-latest-version-constraint.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: constraints.gatekeeper.sh/v1beta1
2 | kind: K8sDepLatestVersion
3 | metadata:
4 | name: deployment-resources
5 | spec:
6 | match:
7 | kinds:
8 | - apiGroups: ["*"]
9 | kinds: ["Deployment"]
10 | namespaces:
11 | - "opa-test"
12 | parameters:
13 | allowedOps: ["CREATE","UPDATE"]
14 | errMsg: "INVALID_DEPLOYMENT_LATEST_VERSION"
15 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/constraints/7-svc-clusterip-ext-ips.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: constraints.gatekeeper.sh/v1beta1
2 | kind: K8sSvcClusterIpExternalIps
3 | metadata:
4 | name: svc-clusterip-ext-ips
5 | spec:
6 | match:
7 | kinds:
8 | - apiGroups: ["*"]
9 | kinds: ["Service"]
10 | namespaces:
11 | - "opa-test"
12 | parameters:
13 | allowedOps: ["CREATE","UPDATE"]
14 | errMsg: "INVALID_SERVICE_EXTERNAL_IPS"
15 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/constraints/8-svc-clusterip-ext-ips-allowed.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: constraints.gatekeeper.sh/v1beta1
2 | kind: K8sSvcClusterIpExternalIpsAllow
3 | metadata:
4 | name: svc-clusterip-ext-ips-allow
5 | spec:
6 | match:
7 | kinds:
8 | - apiGroups: [""]
9 | kinds: ["Service"]
10 | namespaces:
11 | - "opa-test"
12 | parameters:
13 | allowedOps: ["CREATE","UPDATE"]
14 | allowedIps:
15 | - 1.1.1.1
16 | - 2.2.2.2
17 | - 3.3.3.3
18 | - 4.4.4.4
19 | errMsg: "INVALID_SERVICE_EXTERNAL_IPS"
20 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/node-selector/mutate/1-affinity-deploy.yaml:
--------------------------------------------------------------------------------
1 | # Adds a node affinity to all pods in a specific namespace
2 | apiVersion: mutations.gatekeeper.sh/v1alpha1
3 | kind: Assign
4 | metadata:
5 | name: mutator-add-nodeaffinity-deploy
6 | annotations:
7 | aws-eks-best-practices/description: >-
8 | Adds Node affinity - https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
9 | spec:
10 | applyTo:
11 | - groups: ["apps"]
12 | kinds: ["Deployment"]
13 | versions: ["v1"]
14 | match:
15 | namespaces: ["tenants-x"]
16 | location: "spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms"
17 | parameters:
18 | assign:
19 | value:
20 | - matchExpressions:
21 | - key: "tenant"
22 | operator: In
23 | values:
24 | - "tenants-x"
25 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/node-selector/mutate/2-affinity-pod.yaml:
--------------------------------------------------------------------------------
1 | # Adds a node affinity to all pods in a specific namespace
2 | apiVersion: mutations.gatekeeper.sh/v1alpha1
3 | kind: Assign
4 | metadata:
5 | name: mutator-add-nodeaffinity-pod
6 | annotations:
7 | aws-eks-best-practices/description: >-
8 | Adds Node affinity - https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
9 | spec:
10 | applyTo:
11 | - groups: [""]
12 | kinds: ["Pod"]
13 | versions: ["v1"]
14 | match:
15 | namespaces: ["tenants-x"]
16 | location: "spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms"
17 | parameters:
18 | assign:
19 | value:
20 | - matchExpressions:
21 | - key: "tenant"
22 | operator: In
23 | values:
24 | - "tenants-x"
25 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/node-selector/mutate/3-toleration-deploy.yaml:
--------------------------------------------------------------------------------
1 | # Adds a toleration to all pods in a specific namespace
2 | apiVersion: mutations.gatekeeper.sh/v1alpha1
3 | kind: Assign
4 | metadata:
5 | name: mutator-add-toleration-deploy
6 | annotations:
7 | aws-eks-best-practices/description: >-
8 | Adds toleration - https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
9 | spec:
10 | applyTo:
11 | - groups: ["apps"]
12 | kinds: ["Deployment"]
13 | versions: ["v1"]
14 | match:
15 | namespaces: ["tenants-x"]
16 | location: "spec.template.spec.tolerations"
17 | parameters:
18 | assign:
19 | value:
20 | - key: "tenant"
21 | operator: "Equal"
22 | value: "tenants-x"
23 | effect: "NoSchedule"
24 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/node-selector/mutate/4-toleration-pod.yaml:
--------------------------------------------------------------------------------
1 | # Adds a toleration to all pods in a specific namespace
2 | apiVersion: mutations.gatekeeper.sh/v1alpha1
3 | kind: Assign
4 | metadata:
5 | name: mutator-add-toleration-pod
6 | annotations:
7 | aws-eks-best-practices/description: >-
8 | Adds toleration - https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
9 | spec:
10 | applyTo:
11 | - groups: [""]
12 | kinds: ["Pod"]
13 | versions: ["v1"]
14 | match:
15 | namespaces: ["tenants-x"]
16 | location: "spec.tolerations"
17 | parameters:
18 | assign:
19 | value:
20 | - key: "tenant"
21 | operator: "Equal"
22 | value: "tenants-x"
23 | effect: "NoSchedule"
24 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/node-selector/test/1-test-ns.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: tenants-x
5 |
6 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/node-selector/test/2-test-pod.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: tenant-test-pod
5 | namespace: tenants-x
6 | spec:
7 | containers:
8 | - name: test-pause
9 | image: public.ecr.aws/eks-distro/kubernetes/pause:3.2
10 | imagePullPolicy: Always
11 | securityContext:
12 | allowPrivilegeEscalation: false
13 | runAsUser: 1000
14 | readOnlyRootFilesystem: true
15 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/node-selector/test/3-test-deploy.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: tenant-test-deploy
5 | namespace: tenants-x
6 | labels:
7 | app: test
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: test
12 | replicas: 4
13 | strategy:
14 | type: RollingUpdate
15 | rollingUpdate:
16 | maxSurge: 5
17 | maxUnavailable: 1
18 | template:
19 | metadata:
20 | labels:
21 | app: test
22 | spec:
23 | containers:
24 | - name: test-pause
25 | image: public.ecr.aws/eks-distro/kubernetes/pause:3.2
26 | imagePullPolicy: Always
27 | securityContext:
28 | allowPrivilegeEscalation: false
29 | runAsUser: 1000
30 | readOnlyRootFilesystem: true
31 |
32 |
33 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/node-selector/test/4-test-deploy.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: wrong-tenant-test-deploy
5 | namespace: default
6 | labels:
7 | app: test
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: test
12 | replicas: 4
13 | strategy:
14 | type: RollingUpdate
15 | rollingUpdate:
16 | maxSurge: 5
17 | maxUnavailable: 1
18 | template:
19 | metadata:
20 | labels:
21 | app: test
22 | spec:
23 | containers:
24 | - name: test-pause
25 | image: public.ecr.aws/eks-distro/kubernetes/pause:3.2
26 | imagePullPolicy: Always
27 | securityContext:
28 | allowPrivilegeEscalation: false
29 | runAsUser: 1000
30 | readOnlyRootFilesystem: true
31 |
32 |
33 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/node-selector/validate/constraints/1-dep-toleration-constraint.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: constraints.gatekeeper.sh/v1beta1
2 | kind: K8sRequiredTolerationDep
3 | metadata:
4 | name: deployment-toleration
5 | spec:
6 | match:
7 | kinds:
8 | - apiGroups: ["apps"]
9 | kinds: ["Deployment"]
10 | namespaces:
11 | - "tenants-x"
12 | parameters:
13 | ops: ["CREATE","UPDATE"]
14 | tolerations:
15 | - effect: NoSchedule
16 | key: tenant
17 | operator: Equal
18 | value: tenants-x
19 | errMsg: "INVALID_DEPLOYMENT_TOLERATIONS"
20 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/node-selector/validate/constraints/2-pod-toleration-constraint.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: constraints.gatekeeper.sh/v1beta1
2 | kind: K8sRequiredTolerationPod
3 | metadata:
4 | name: pod-toleration
5 | spec:
6 | match:
7 | kinds:
8 | - apiGroups: [""]
9 | kinds: ["Pod"]
10 | namespaces:
11 | - "tenants-x"
12 | parameters:
13 | ops: ["CREATE","UPDATE"]
14 | tolerations:
15 | - effect: NoSchedule
16 | key: tenant
17 | operator: Equal
18 | value: tenants-x
19 | errMsg: "INVALID_POD_TOLERATIONS"
20 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/node-selector/validate/constraints/3-dep-nodeaffinity-constraint.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: constraints.gatekeeper.sh/v1beta1
2 | kind: K8sRequiredNodeAffinityDep
3 | metadata:
4 | name: dep-node-affinity
5 | spec:
6 | match:
7 | kinds:
8 | - apiGroups: ["apps"]
9 | kinds: ["Deployment"]
10 | namespaces:
11 | - "tenants-x"
12 | parameters:
13 | ops: ["CREATE","UPDATE"]
14 | errMsg: "INVALID_DEPLOYMENT_NODEAFFINITY"
15 | nodeAffinity:
16 | requiredDuringSchedulingIgnoredDuringExecution:
17 | nodeSelectorTerms:
18 | - matchExpressions:
19 | - key: tenant
20 | operator: In
21 | values:
22 | - tenants-x
23 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/node-selector/validate/constraints/4-pod-nodeaffinity-constraint.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: constraints.gatekeeper.sh/v1beta1
2 | kind: K8sRequiredNodeAffinityPod
3 | metadata:
4 | name: pod-node-affinity
5 | spec:
6 | match:
7 | kinds:
8 | - apiGroups: [""]
9 | kinds: ["Pod"]
10 | namespaces:
11 | - "tenants-x"
12 | parameters:
13 | ops: ["CREATE","UPDATE"]
14 | errMsg: "INVALID_POD_NODEAFFINITY"
15 | nodeAffinity:
16 | requiredDuringSchedulingIgnoredDuringExecution:
17 | nodeSelectorTerms:
18 | - matchExpressions:
19 | - key: tenant
20 | operator: In
21 | values:
22 | - tenants-x
23 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/test-resources/0-ns.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: opa-test
5 | ---
6 | apiVersion: v1
7 | kind: Namespace
8 | metadata:
9 | name: opa-test1
10 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/test-resources/1-ok.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 1000
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/test-resources/10-dep-sec-cont.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 1000
35 | readOnlyRootFilesystem: false
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/test-resources/100-dep-all-fail.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | # owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | #owner: jimmy
24 | #env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/dev
27 | spec:
28 | containers:
29 | - name: test
30 | image: read-only-container
31 | imagePullPolicy: Always
32 | #securityContext:
33 | # allowPrivilegeEscalation: false
34 | # runAsUser: 1000
35 | # readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | #resources:
39 | # limits:
40 | # cpu: 200m
41 | # memory: 20Mi
42 | # requests:
43 | # cpu: 100m
44 | # memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/test-resources/12-dep-wrong-role.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/dev
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 1000
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/test-resources/13-dep-no-role.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | #annotations:
26 | # iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 1000
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/test-resources/14-dep-res.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | annotations:
25 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
26 | spec:
27 | containers:
28 | - name: test
29 | image: GOOD_REGISTRY/read-only-container:v0.0.1
30 | imagePullPolicy: Always
31 | securityContext:
32 | allowPrivilegeEscalation: false
33 | runAsUser: 1000
34 | readOnlyRootFilesystem: true
35 | ports:
36 | - containerPort: 8080
37 | #resources:
38 | # limits:
39 | # cpu: 200m
40 | # memory: 20Mi
41 | # requests:
42 | # cpu: 100m
43 | # memory: 10Mi
44 | readinessProbe:
45 | tcpSocket:
46 | port: 8080
47 | initialDelaySeconds: 5
48 | periodSeconds: 10
49 | livenessProbe:
50 | tcpSocket:
51 | port: 8080
52 | initialDelaySeconds: 15
53 | periodSeconds: 20
54 | volumeMounts:
55 | - mountPath: /tmp
56 | name: tmp
57 | volumes:
58 | - name: tmp
59 | emptyDir: {}
60 |
61 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/test-resources/15-dep-res.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 1000
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | # limits:
40 | # cpu: 200m
41 | # memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/test-resources/16-dep-res.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 1000
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | # cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/test-resources/17-dep-res.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 1000
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | # memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/test-resources/18-dep-res.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 1000
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | # requests:
43 | # cpu: 100m
44 | # memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/test-resources/19-dep-res.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 1000
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | # cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/test-resources/20-dep-res.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 1000
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | # memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/test-resources/30-dep-latest.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:latest
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 1000
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/test-resources/31-dep-no-ver.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 1000
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/test-resources/4-dep-sec-cont.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | # securityContext:
33 | # allowPrivilegeEscalation: false
34 | # runAsUser: 1000
35 | # readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/test-resources/40-clusterip-service-ext-ips.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: hijack-dns
5 | namespace: opa-test
6 | spec:
7 | selector:
8 | app: hijack-dns-server
9 | ports:
10 | - name: dns
11 | protocol: UDP
12 | port: 53
13 | targetPort: 9053
14 | externalIPs:
15 | - 1.1.1.1
16 | - 2.2.2.2
17 | - 3.3.3.3
18 | - 4.4.4.4
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/test-resources/41-clusterip-service-ext-ips.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: hijack-dns
5 | namespace: opa-test
6 | spec:
7 | selector:
8 | app: hijack-dns-server
9 | ports:
10 | - name: dns
11 | protocol: UDP
12 | port: 53
13 | targetPort: 9053
14 | externalIPs:
15 | - 8.8.8.8
16 | - 8.8.4.4
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/test-resources/5-dep-sec-cont.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | # allowPrivilegeEscalation: false
34 | # runAsUser: 1000
35 | # readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/test-resources/6-dep-sec-cont.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: true
34 | runAsUser: 1000
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/test-resources/7-dep-sec-cont.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | # runAsUser: 1000
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/test-resources/8-dep-sec-cont.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 0
35 | readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/policies/opa/gatekeeper/test-resources/9-dep-sec-cont.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: test
5 | namespace: opa-test
6 | labels:
7 | app: test
8 | owner: jimmy
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: test
13 | replicas: 1
14 | strategy:
15 | type: RollingUpdate
16 | rollingUpdate:
17 | maxSurge: 5
18 | maxUnavailable: 1
19 | template:
20 | metadata:
21 | labels:
22 | app: test
23 | owner: jimmy
24 | env: dev
25 | annotations:
26 | iam.amazonaws.com/role: arn:aws:iam::123456789012:role/test
27 | spec:
28 | containers:
29 | - name: test
30 | image: GOOD_REGISTRY/read-only-container:v0.0.1
31 | imagePullPolicy: Always
32 | securityContext:
33 | allowPrivilegeEscalation: false
34 | runAsUser: 1000
35 | # readOnlyRootFilesystem: true
36 | ports:
37 | - containerPort: 8080
38 | resources:
39 | limits:
40 | cpu: 200m
41 | memory: 20Mi
42 | requests:
43 | cpu: 100m
44 | memory: 10Mi
45 | readinessProbe:
46 | tcpSocket:
47 | port: 8080
48 | initialDelaySeconds: 5
49 | periodSeconds: 10
50 | livenessProbe:
51 | tcpSocket:
52 | port: 8080
53 | initialDelaySeconds: 15
54 | periodSeconds: 20
55 | volumeMounts:
56 | - mountPath: /tmp
57 | name: tmp
58 | volumes:
59 | - name: tmp
60 | emptyDir: {}
61 |
62 |
--------------------------------------------------------------------------------
/projects/enable-irsa/bin/enable-irsa:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/projects/enable-irsa/bin/enable-irsa
--------------------------------------------------------------------------------
/projects/enable-irsa/src/Dockerfile:
--------------------------------------------------------------------------------
1 | # Python image to use.
2 | FROM python:3.7
3 |
4 | # Set the working directory to /app
5 | WORKDIR /src
6 |
7 | # copy the requirements file used for dependencies
8 |
9 | COPY requirements.txt .
10 | # Install any needed packages specified in requirements.txt
11 | RUN pip install --trusted-host pypi.python.org -r requirements.txt
12 |
13 | RUN pip --no-cache-dir install awscli
14 |
15 | # Copy the rest of the working directory contents into the container at /app
16 | COPY . .
17 |
18 | ENV AWS_DEFAULT_REGION=us-west-2
19 |
20 | # Run app.py when the container launches
21 | ENTRYPOINT [ "python", "main.py" ]
22 |
--------------------------------------------------------------------------------
/projects/enable-irsa/src/requirements.txt:
--------------------------------------------------------------------------------
1 | altgraph==0.17
2 | boto3==1.14.53
3 | botocore==1.17.53
4 | cachetools==4.1.1
5 | certifi==2024.7.4
6 | cffi==1.14.2
7 | chardet==3.0.4
8 | click==7.1.2
9 | cryptography==44.0.1
10 | docutils==0.15.2
11 | feedparser==5.2.1
12 | google-auth==1.21.0
13 | idna==3.7
14 | jmespath==0.10.0
15 | kubernetes==11.0.0
16 | macholib==1.14
17 | oauthlib==3.1.0
18 | pick==1.0.0
19 | pyasn1==0.4.8
20 | pyasn1-modules==0.2.8
21 | pycparser==2.20
22 | pyinstaller==5.13.1
23 | pyinstaller-hooks-contrib==2020.7
24 | pyOpenSSL==19.1.0
25 | python-dateutil==2.8.1
26 | PyYAML==5.4
27 | reader==1.5
28 | requests==2.32.4
29 | requests-oauthlib==1.3.0
30 | rsa==4.7
31 | s3transfer==0.3.3
32 | sgmllib3k==1.0.0
33 | six==1.15.0
34 | typing-extensions==3.7.4.3
35 | urllib3==1.26.19
36 | websocket-client==0.57.0
37 |
--------------------------------------------------------------------------------
/projects/imds/imds:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/projects/imds/imds
--------------------------------------------------------------------------------
/projects/imds/imds-update:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws/aws-eks-best-practices/c8ffebe8a4955e9db18518357a37b855b6e7f71d/projects/imds/imds-update
--------------------------------------------------------------------------------
/projects/imds/imds.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | "context"
5 | "flag"
6 | "fmt"
7 | "github.com/aws/aws-sdk-go/aws"
8 | "github.com/aws/aws-sdk-go/aws/session"
9 | "github.com/aws/aws-sdk-go/service/ec2"
10 | )
11 |
12 | var region string
13 |
14 | func getLaunchTemplates() {
15 | sess, _ := session.NewSession(&aws.Config{
16 | Region: aws.String(region)},
17 | )
18 | client := ec2.New(sess)
19 | ctx := context.Background()
20 |
21 | client.DescribeLaunchTemplatesPagesWithContext(ctx, &ec2.DescribeLaunchTemplatesInput{},
22 | func(page *ec2.DescribeLaunchTemplatesOutput, lastPage bool) bool {
23 | fmt.Println("Received", len(page.LaunchTemplates), "objects in page")
24 | for _, obj := range page.LaunchTemplates {
25 | output, _ := client.DescribeLaunchTemplateVersions(&ec2.DescribeLaunchTemplateVersionsInput{
26 | LaunchTemplateId: obj.LaunchTemplateId,
27 | Versions: []*string{aws.String("$Default")},
28 | })
29 | versions := output.LaunchTemplateVersions
30 | for _, v := range versions {
31 | fmt.Println("The launch template:\t", aws.StringValue(v.LaunchTemplateId), aws.StringValue(v.LaunchTemplateName))
32 | if v.LaunchTemplateData.MetadataOptions != nil {
33 | fmt.Println("Has hop count of:\t", aws.Int64Value(v.LaunchTemplateData.MetadataOptions.HttpPutResponseHopLimit))
34 | } else {
35 | fmt.Println("Has hop count of:\t undefined")
36 | }
37 | }
38 | }
39 | return true
40 | },
41 | )
42 | }
43 |
44 | func main() {
45 | flag.StringVar(®ion, "region", "us-west-2", "AWS region")
46 | flag.Parse()
47 | getLaunchTemplates()
48 | }
49 |
--------------------------------------------------------------------------------
/projects/imds/readme.md:
--------------------------------------------------------------------------------
1 | # IMDS
2 | As a best practice, you should prevent pods from accessing EC2 metadata. This can be done by creating an iptables rule on each of your worker nodes or by
3 | requiring IMDSv2 and setting the hop count to 1. The imds executable is a simple command line utility that enumerates all of the launch templates in a region
4 | and outputs the current hop count for IMDS. The imds-update executable accepts a launch template id as an argument and creates a new version of the launch
5 | template with IMDSv2 required and hop count set to 1. It then sets that version as the default version for the launch template. The executables were compiled
6 | for Darwin (MacOS), but the source code is also available.
7 |
8 | ## Usage
9 | ### imds
10 | ```
11 | imds -region
12 | ```
13 | #### Sample output
14 | ```
15 | The launch template: lt-0284c77c24a6ad7a7 eksctl-agones-nodegroup-ng-0
16 | Has hop count of: 2
17 | The launch template: lt-07aa2a861689548ae ecs-fleetiq-template
18 | Has hop count of: undefined
19 | ```
20 |
21 | ### imds-update
22 | ```
23 | imds-update -region -launch-template
24 | ```
25 | #### Sample output
26 | ```
27 | Updated template lt-0a85731194545a910 successfully. IMDSv2 is required and hop count is set to 1.
28 | ```
29 |
--------------------------------------------------------------------------------
/projects/imds/update.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | "flag"
5 | "fmt"
6 | "github.com/aws/aws-sdk-go/aws"
7 | "github.com/aws/aws-sdk-go/aws/session"
8 | "github.com/aws/aws-sdk-go/service/ec2"
9 | )
10 |
11 | var region string
12 |
13 | func updateLaunchTemplates(lt string) {
14 | sess, _ := session.NewSession(&aws.Config{
15 | Region: aws.String(region)},
16 | )
17 | client := ec2.New(sess)
18 | opts := &ec2.LaunchTemplateInstanceMetadataOptionsRequest{
19 | HttpPutResponseHopLimit: aws.Int64(1),
20 | HttpTokens: aws.String("required"),
21 | }
22 | ltvo, err := client.CreateLaunchTemplateVersion(
23 | &ec2.CreateLaunchTemplateVersionInput{
24 | LaunchTemplateId: aws.String(lt),
25 | SourceVersion: aws.String("$Default"),
26 | LaunchTemplateData: &ec2.RequestLaunchTemplateData{MetadataOptions: opts},
27 | VersionDescription: aws.String("Hop count 1"),
28 | },
29 | )
30 | if err != nil {
31 | fmt.Println(err)
32 | }
33 |
34 | _, err = client.ModifyLaunchTemplate(
35 | &ec2.ModifyLaunchTemplateInput{
36 | DefaultVersion: aws.String(fmt.Sprint(*ltvo.LaunchTemplateVersion.VersionNumber)),
37 | LaunchTemplateId: aws.String(lt),
38 | },
39 | )
40 | if err != nil {
41 | fmt.Println(err)
42 | }
43 | fmt.Printf("Updated template %s successfully. IMDSv2 is required and hop count is set to 1.", lt)
44 | }
45 | func main() {
46 | var lt string
47 | flag.StringVar(®ion, "region", "us-east-1", "AWS region")
48 | flag.StringVar(<, "launch-template", "", "Launch template Id")
49 | flag.Parse()
50 | updateLaunchTemplates(lt)
51 | }
52 |
--------------------------------------------------------------------------------
/vale/styles/BpgDocs/ApprovedUrls.yml:
--------------------------------------------------------------------------------
1 | extends: existence
2 | message: "External domain detected: '%s -- Review non-aws domains carefully"
3 | level: warning
4 | scope: raw
5 | ignorecase: true
6 | tokens:
7 | - '(?:^|\s)(http(s)?://[^\s]+)(?:$|\s)'
8 | exceptions:
9 | - https://aws.github.io/
10 | - https://kubernetes-sigs.github.io/
11 | - https://aws-observability.github.io/
12 | - https://github.com/aws/
13 | - https://docs.aws.amazon.com/
14 | - https://github.com/aws-samples/
15 | - https://github.com/kubernetes/
16 | - https://aws.amazon.com/
17 | - https://repost.aws/
18 | - https://github.com/bottlerocket-os/
19 | - https://kubernetes.io/
20 | - https://karpenter.sh/
21 | - https://karpenter.sh
22 | - https://anywhere.eks.amazonaws.com/
23 | - https://aws-ia.github.io
24 | - https://eksctl.io/
25 | - https://catalog.workshops.aws/
26 | - https://github.com/awslabs/
27 | - https://console.aws.amazon.com/
28 | - https://github.com/aws-controllers-k8s/
29 | - https://raw.githubusercontent.com/aws-observability/
30 | - https://github.com/kubernetes-sigs/
31 | - https://d1.awsstatic.com/
32 | - https://docs.github.com/
33 | - https://code.visualstudio.com/
34 | - https://cli.github.com/
35 | - https://marketplace.visualstudio.com/
36 | - https://docs.asciidoctor.org/
37 | - https://brew.sh/
38 | - https://github.dev/aws/
--------------------------------------------------------------------------------
/vale/styles/BpgDocs/AwsBrand.yml:
--------------------------------------------------------------------------------
1 | extends: existence
2 | message: "Don't write out 'AWS' literally. Use the variable '{aws}' instead."
3 | level: warning
4 | raw:
5 | - \bAWS\p{Z}+[\p{L}\p{N}]+\b
6 |
--------------------------------------------------------------------------------