FEATURE: EKS Protection #61
Conversation
ryanjpayne
commented
Aug 13, 2024
ryanjpayne
commented
- Add resources and documentation to support CrowdStrike EKS Protection
| - Arn | ||
|
|
||
| # CodeBuild Project to deploy Falcon Operator and Sensor | ||
| EKSCodeBuild: |
There was a problem hiding this comment.
Recommendation: CodeBuild project should specify an EncryptionKey value
Add exemption with valid reason if the project cannot be encrypted.
There was a problem hiding this comment.
which linter does this flag apply? I do not see it in cfnlint or checkov
There was a problem hiding this comment.
but the default cmk will suffice
There was a problem hiding this comment.
This is coming from cfn_nag. Could you please add an exception to avoid flagging this in future. No value for EncryptionKey defaults to the managed CMK for Amazon Simple Storage Service (Amazon S3)
Need to add taskcat ssm params:
Retrieve Docker API Token from falcon console>cloud accounts registration>kubernetes
|
|
/do-e2e-tests |
|
End to end test has been scheduled |
|
E2E tests in progress |
![aws-ia-automator-prod[bot]](https://avatars.githubusercontent.com/u/149281641?s=60&v=4){kind=small}
@ryanjpayne since there are no default values, required parameters from failure reason below need to be added to all tests in the .taskcat.yml file. Failure reason: |
|
/do-e2e-tests |
|
End to end test has been scheduled |
|
E2E tests in progress |
| - id: CKV_AWS_109 | ||
| comment: IAM PassRole action is constrained by resource ARN. | ||
| - id: CKV_AWS_111 | ||
| comment: IAM PassRole action is constrained by resource ARN. |
There was a problem hiding this comment.
do not see iam:PassRole in this policy. What is the need for this exception?
templates/eks-protection-stack.yml
Outdated
| Name: !Ref CodeBuildProjectName | ||
| ServiceRole: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${CodeBuildRoleName} | ||
| Source: | ||
| Location: !Sub '${StagingS3Bucket}/${SourceS3BucketNamePrefix}/codebuild/codebuild.zip' |
There was a problem hiding this comment.
@ryanjpayne This needs to be fixed to match with the new file location?
|
/do-e2e-tests |
|
End to end test has been scheduled |
|
E2E tests in progress |
|
/do-e2e-tests |
|
End to end test has been scheduled |
|
E2E tests in progress |
|
/do-e2e-tests |
|
End to end test has been scheduled |
|
E2E tests in progress |
|
/do-e2e-tests |
|
End to end test has been scheduled |
|
E2E tests in progress |
|
/do-e2e-tests |
ryanjpayne
force-pushed
the
FEAT-0824-eksprotection
branch
from
d951cce
to
ed64e7a
Compare
|
Static analysis has failed. Please review and take action as appropriate. |
|
Static analysis has failed. Please review and take action as appropriate. |
|
/do-e2e-tests |
|
End to end test has been scheduled |
|
E2E tests in progress |
|
/do-e2e-tests |
|
End to end test has been scheduled |
|
E2E tests in progress |
|
/do-e2e-tests |
|
End to end test has been scheduled |
|
E2E tests in progress |
