diff --git a/CHANGELOG.md b/CHANGELOG.md index a74f08a..dfbe0c4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,10 @@ -## Unreleased +## v0.9.3 (2023-05-15) + +### Fix + +- Fix aws-node service account irsa bug + +## v0.9.2 (2023-05-03) ### Fix diff --git a/hardeneks/cluster_wide/security/iam.py b/hardeneks/cluster_wide/security/iam.py index 1a04138..b7b3dcf 100644 --- a/hardeneks/cluster_wide/security/iam.py +++ b/hardeneks/cluster_wide/security/iam.py @@ -74,7 +74,15 @@ def check(self, resources: Resources): name="aws-node", namespace="kube-system" ) self.result = Result(status=True, resource_type="Daemonset") - if daemonset.spec.template.spec.service_account_name == "aws-node": + v1 = client.CoreV1Api() + service_account = v1.read_namespaced_service_account( + name=daemonset.spec.template.spec.service_account_name, + namespace="kube-system", + ) + if ( + "eks.amazonaws.com/role-arn" + not in service_account.metadata.annotations + ): self.result = Result( status=False, resources=["aws-node"], resource_type="Daemonset" ) diff --git a/pyproject.toml b/pyproject.toml index b219561..ef70155 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "hardeneks" -version = "0.9.2" +version = "0.9.3" description = "" authors = ["Doruk Ozturk "] readme = "README.md" @@ -41,7 +41,7 @@ exclude = ''' [tool.commitizen] name = "cz_conventional_commits" -version = "0.9.2" +version = "0.9.3" version_files = [ "pyproject.toml:[tool.commitizen]\nversion", "pyproject.toml:[tool.poetry]\nname = \"commitizen\"\nversion", diff --git a/tests/data/check_aws_node_daemonset_service_account/service_accounts_api_response.json b/tests/data/check_aws_node_daemonset_service_account/service_accounts_api_response.json new file mode 100644 index 0000000..18f8c32 --- /dev/null +++ b/tests/data/check_aws_node_daemonset_service_account/service_accounts_api_response.json @@ -0,0 +1,20 @@ +{ + "apiVersion": "v1", + "kind": "ServiceAccount", + "metadata": { + "annotations": { + "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"ServiceAccount\",\"metadata\":{\"annotations\":{},\"labels\":{\"app.kubernetes.io/instance\":\"aws-vpc-cni\",\"app.kubernetes.io/name\":\"aws-node\",\"app.kubernetes.io/version\":\"v1.11.4\",\"k8s-app\":\"aws-node\"},\"name\":\"aws-node\",\"namespace\":\"kube-system\"}}\n" + }, + "creationTimestamp": "2023-04-14T12:17:01Z", + "labels": { + "app.kubernetes.io/instance": "aws-vpc-cni", + "app.kubernetes.io/name": "aws-node", + "app.kubernetes.io/version": "v1.11.4", + "k8s-app": "aws-node" + }, + "name": "aws-node", + "namespace": "kube-system", + "resourceVersion": "3691", + "uid": "122cc1c7-ba3b-4133-9b7a-b847398cf11b" + } +} diff --git a/tests/test_security_iam.py b/tests/test_security_iam.py index 206fe30..e0b62d8 100644 --- a/tests/test_security_iam.py +++ b/tests/test_security_iam.py @@ -104,20 +104,32 @@ def test_check_access_to_instance_profile(mocked_client): @patch("kubernetes.client.AppsV1Api.read_namespaced_daemon_set") -def test_check_aws_node_daemonset_service_account(mocked_client): - test_data = ( +@patch("kubernetes.client.CoreV1Api.read_namespaced_service_account") +def test_check_aws_node_daemonset_service_account( + mocked_core_api, mocked_apps_api +): + daemon_set_data = ( Path.cwd() / "tests" / "data" / "check_aws_node_daemonset_service_account" / "daemon_sets_api_response.json" ) - mocked_client.return_value = get_response( + service_account_data = ( + Path.cwd() + / "tests" + / "data" + / "check_aws_node_daemonset_service_account" + / "service_accounts_api_response.json" + ) + mocked_apps_api.return_value = get_response( kubernetes.client.AppsV1Api, - test_data, + daemon_set_data, "V1DaemonSet", ) - + mocked_core_api.return_value = get_response( + kubernetes.client.CoreV1Api, service_account_data, "V1ServiceAccount" + ) namespaced_resources = NamespacedResources( "some_region", "some_context", "some_cluster", "some_ns" )