Merge pull request #174 from nirmata/add-eks-terraform-config-policies

feat: add `eks` best practices terraform config policies and bump chainsaw version

.github/workflows/chainsaw-e2e.yaml

@@ -39,7 +39,7 @@ jobs:
         run: make wait-for-kyverno
 
       - name: Install chainsaw
-        uses: kyverno/action-install-chainsaw@v0.1.6
+        uses: kyverno/action-install-chainsaw@7ad918efe13995d01bafa59aef8203a5246f5d04 # v0.2.7
 
       - name: Verify Chainsaw Installation
         run: chainsaw version
@@ -77,7 +77,7 @@ jobs:
         run: make wait-for-kyverno
 
       - name: Install chainsaw
-        uses: kyverno/action-install-chainsaw@v0.1.6
+        uses: kyverno/action-install-chainsaw@7ad918efe13995d01bafa59aef8203a5246f5d04 # v0.2.7
 
       - name: Verify Chainsaw Installation
         run: chainsaw version
@@ -110,7 +110,7 @@ jobs:
         run: make wait-for-kyverno
 
       - name: Install chainsaw
-        uses: kyverno/action-install-chainsaw@v0.1.6
+        uses: kyverno/action-install-chainsaw@7ad918efe13995d01bafa59aef8203a5246f5d04 # v0.2.7
 
       - name: Verify Chainsaw Installation
         run: chainsaw version
@@ -143,7 +143,7 @@ jobs:
         run: make wait-for-kyverno
 
       - name: Install chainsaw
-        uses: kyverno/action-install-chainsaw@v0.1.6
+        uses: kyverno/action-install-chainsaw@7ad918efe13995d01bafa59aef8203a5246f5d04 # v0.2.7
 
       - name: Verify Chainsaw Installation
         run: chainsaw version

terraform/config/eks-best-practices/check-control-plane-logging/README.md

@@ -0,0 +1,86 @@
+# Check Control Plane Logging for Amazon EKS
+
+Enabling Amazon EKS control plane logging for all log types is a best practice for enhancing the security, monitoring, troubleshooting, performance optimization, and operational management of your Kubernetes clusters. By capturing comprehensive logs of control plane activities, you can effectively manage and secure your EKS infrastructure while ensuring compliance with regulatory requirements and industry standards.
+
+To enable control plane logging for all types in Amazon EKS, ensure that **enabled_cluster_log_types** includes all these types: "api", "audit", "authenticator", "controllerManager" and "scheduler". You can read more about the log types [here](https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html)
+
+## Policy Details:
+
+- **Policy Name:** check-control-plane-logging
+- **Check Description:** Ensure Amazon EKS control plane logging is enabled for all log types
+- **Policy Category:** EKS Best Practices 
+
+### Policy Validation Testing Instructions
+
+To evaluate and test the policy, follow the steps outlined below:
+
+For testing this policy you will need to:
+- Make sure you have `nctl` installed on the machine 
+
+1. **Test the Policy with nctl:**
+    ```
+   nctl scan terraform --resources tf-config.tf --policy policy.yaml
+    ```
+
+    a. **Test Policy Against Valid Terraform Config File:**
+    ```
+    nctl scan terraform --resources test/good.tf --policies check-control-plane-logging.yaml --details 
+    ```
+
+    This produces the output:
+    ```
+    Version: v4.2.2
+    Fetching policies...
+    Loading policies...
+    - found 1 policies
+    Running analysis...
+    • no errors
+    Results...
+    +--------------------+------+------+------+-------+------+
+    |      CATEGORY      | FAIL | WARN | PASS | ERROR | SKIP |
+    +--------------------+------+------+------+-------+------+
+    | EKS Best Practices |  0   |  0   |  1   |   0   |  0   |
+    +--------------------+------+------+------+-------+------+
+    Rule Results                        : (Fail: 0, Warn: 0, Pass: 1, Error: 0, Skip: 0)
+    Failed Rules Severity               : (Critical: 0, High: 0, Medium: 0, Low: 0, Info: 0)
+
+    +-----------------------------+-----------------------------+--------------+---------+--------+
+    |           POLICY            |            RULE             |   RESOURCE   | MESSAGE | RESULT |
+    +-----------------------------+-----------------------------+--------------+---------+--------+
+    | check-control-plane-logging | check-control-plane-logging | test/good.tf |         |  pass  |
+    +-----------------------------+-----------------------------+--------------+---------+--------+
+    Done!
+    ```
+
+    b. **Test Against Invalid Terraform Config File:**
+    ```
+    nctl scan terraform --resources test/bad-01.tf --policies check-control-plane-logging.yaml --details 
+    ```
+
+    This produces the output:
+    ```
+    Version: v4.2.2
+    Fetching policies...
+    Loading policies...
+    - found 1 policies
+    Running analysis...
+    • no errors
+    Results...
+    +--------------------+------+------+------+-------+------+
+    |      CATEGORY      | FAIL | WARN | PASS | ERROR | SKIP |
+    +--------------------+------+------+------+-------+------+
+    | EKS Best Practices |  1   |  0   |  0   |   0   |  0   |
+    +--------------------+------+------+------+-------+------+
+    Rule Results                        : (Fail: 1, Warn: 0, Pass: 0, Error: 0, Skip: 0)
+    Failed Rules Severity               : (Critical: 0, High: 0, Medium: 1, Low: 0, Info: 0)
+
+    +-----------------------------+-----------------------------+----------------+--------------------------------+--------+
+    |           POLICY            |            RULE             |    RESOURCE    |            MESSAGE             | RESULT |
+    +-----------------------------+-----------------------------+----------------+--------------------------------+--------+
+    | check-control-plane-logging | check-control-plane-logging | test/bad-01.tf | EKS control plane logging must |  fail  |
+    |                             |                             |                |  be enabled for all log types  |        |
+    +-----------------------------+-----------------------------+----------------+--------------------------------+--------+
+    Done! 1 policy violation(s) detected.
+    ```
+
+---

terraform/config/eks-best-practices/check-control-plane-logging/check-control-plane-logging.yaml

@@ -0,0 +1,32 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: check-control-plane-logging
+  annotations:
+    policies.kyverno.io/title: Check Control Plane Logging
+    policies.kyverno.io/category: EKS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      Enabling Amazon EKS control plane logging for all log types is a best practice 
+      for enhancing the security, monitoring, troubleshooting, performance optimization, and operational management of your Kubernetes clusters. 
+      By capturing comprehensive logs of control plane activities, you can effectively manage and secure your 
+      EKS infrastructure while ensuring compliance with regulatory requirements and industry standards.
+spec:
+  rules:
+    - name: check-control-plane-logging
+      match:
+        all:
+        - ($analyzer.resource.type): terraform-config
+        - (resource.aws_eks_cluster != null): true
+      assert:
+        all:
+        - message: EKS control plane logging must be enabled for all log types
+          check:
+            ~.(resource.aws_eks_cluster.values(@)[]):
+                (enabled_cluster_log_types || `[]`):
+                  (contains(@, 'api')): true
+                  (contains(@, 'audit')): true
+                  (contains(@, 'authenticator')): true
+                  (contains(@, 'controllerManager')): true
+                  (contains(@, 'scheduler')): true
+

terraform/config/eks-best-practices/check-control-plane-logging/test/bad-01.tf

@@ -0,0 +1,27 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.16"
+    }
+  }
+
+  required_version = ">= 1.2.0"
+}
+
+provider "aws" {
+  region = "us-west-2"
+}
+
+resource "aws_eks_cluster" "example" {
+  name     = "example-cluster"
+  role_arn = "arn:aws:iam::123456789012:role/eks-cluster-role"
+
+  vpc_config {
+    subnet_ids = ["subnet-0123456789abcdef0", "subnet-0123456789abcdef1"]
+  }
+}
+
+output "cluster_id" {
+  value = aws_eks_cluster.example.id
+}

terraform/config/eks-best-practices/check-control-plane-logging/test/bad-02.tf

@@ -0,0 +1,29 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.16"
+    }
+  }
+
+  required_version = ">= 1.2.0"
+}
+
+provider "aws" {
+  region = "us-west-2"
+}
+
+resource "aws_eks_cluster" "example" {
+  name     = "example-cluster"
+  role_arn = "arn:aws:iam::123456789012:role/eks-cluster-role"
+
+  vpc_config {
+    subnet_ids = ["subnet-0123456789abcdef0", "subnet-0123456789abcdef1"]
+  }
+
+  enabled_cluster_log_types = ["api", "scheduler"]
+}
+
+output "cluster_id" {
+  value = aws_eks_cluster.example.id
+}

terraform/config/eks-best-practices/check-control-plane-logging/test/bad-payload-01.json

@@ -0,0 +1,47 @@
+{
+    "output": {
+        "cluster_id": [
+            {
+                "value": "${aws_eks_cluster.example.id}"
+            }
+        ]
+    },
+    "provider": {
+        "aws": [
+            {
+                "region": "us-west-2"
+            }
+        ]
+    },
+    "resource": {
+        "aws_eks_cluster": {
+            "example": [
+                {
+                    "name": "example-cluster",
+                    "role_arn": "arn:aws:iam::123456789012:role/eks-cluster-role",
+                    "vpc_config": [
+                        {
+                            "subnet_ids": [
+                                "subnet-0123456789abcdef0",
+                                "subnet-0123456789abcdef1"
+                            ]
+                        }
+                    ]
+                }
+            ]
+        }
+    },
+    "terraform": [
+        {
+            "required_providers": [
+                {
+                    "aws": {
+                        "source": "hashicorp/aws",
+                        "version": "~\u003e 4.16"
+                    }
+                }
+            ],
+            "required_version": "\u003e= 1.2.0"
+        }
+    ]
+}

terraform/config/eks-best-practices/check-control-plane-logging/test/bad-payload-02.json

@@ -0,0 +1,51 @@
+{
+    "output": {
+        "cluster_id": [
+            {
+                "value": "${aws_eks_cluster.example.id}"
+            }
+        ]
+    },
+    "provider": {
+        "aws": [
+            {
+                "region": "us-west-2"
+            }
+        ]
+    },
+    "resource": {
+        "aws_eks_cluster": {
+            "example": [
+                {
+                    "enabled_cluster_log_types": [
+                        "api",
+                        "scheduler"
+                    ],
+                    "name": "example-cluster",
+                    "role_arn": "arn:aws:iam::123456789012:role/eks-cluster-role",
+                    "vpc_config": [
+                        {
+                            "subnet_ids": [
+                                "subnet-0123456789abcdef0",
+                                "subnet-0123456789abcdef1"
+                            ]
+                        }
+                    ]
+                }
+            ]
+        }
+    },
+    "terraform": [
+        {
+            "required_providers": [
+                {
+                    "aws": {
+                        "source": "hashicorp/aws",
+                        "version": "~\u003e 4.16"
+                    }
+                }
+            ],
+            "required_version": "\u003e= 1.2.0"
+        }
+    ]
+}

terraform/config/eks-best-practices/check-control-plane-logging/test/binding.yaml

@@ -0,0 +1,3 @@
+analyzer:
+  resource:
+    type: terraform-config