Skip to content

eks

Sample rules

A few rules that use objects from this package:

public_access_eks_api
from typing import List, Dict

from cloudrail.knowledge.rules.aws.aws_base_rule import AwsBaseRule
from cloudrail.knowledge.context.aws.aws_environment_context import AwsEnvironmentContext
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class PublicAccessEksApiRule(AwsBaseRule):

    def get_id(self) -> str:
        return 'public_access_eks_api'

    def execute(self, env_context: AwsEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []
        for eks_cluster in env_context.eks_clusters:
            violating_security_group = eks_cluster.security_group_allowing_public_access
            if violating_security_group:
                issues.append(Issue(
                    f'~Internet~. '
                    f'{eks_cluster.get_type()} `{eks_cluster.get_friendly_name()}` '
                    f'is on {eks_cluster.network_resource.vpc.get_type()}'
                    f' `{eks_cluster.network_resource.vpc.get_friendly_name()}`. '
                    f'Master is protected by security groups '
                    f'`{", ".join([x.get_friendly_name() for x in eks_cluster.network_resource.security_groups])}`. '
                    f'{eks_cluster.get_type()} uses subnets'
                    f' `{", ".join([x.get_friendly_name() for x in eks_cluster.network_resource.subnets])}`. '
                    f"Subnets rely on Network ACL's "
                    f'`{", ".join([x.network_acl.get_friendly_name() for x in eks_cluster.network_resource.subnets])}`. '
                    f'They also rely on Route tables '
                    f'`{", ".join([x.route_table.get_friendly_name() for x in eks_cluster.network_resource.subnets])}`. '
                    f'{eks_cluster.get_type()} is set to be publicly accessible',
                    eks_cluster,
                    violating_security_group))

        return issues

    def should_run_rule(self, environment_context: AwsEnvironmentContext) -> bool:
        return bool(environment_context.eks_clusters)

EksCluster (NetworkEntity, INetworkConfiguration)

Attributes:

Name Type Description
name

The name of the EKS Cluster.

arn str

The ARN of the EKS Cluster.

role_arn str

The ARN of the role used with the cluster.

endpoint str

The endpoint of the cluster.

security_group_ids

The IDs of the security groups used by nodes in the cluster.

cluster_security_group_id Optional[str]

The id of the security group used with the endpoint.

subnet_ids

The subnets the nodes are attached to.

endpoint_public_access bool

True if the endpoint allows public access.

endpoint_private_access bool

True if the endpoint allows private access.

public_access_cidrs List[str]

The CIDR blocks public access is allowed from.

port int

The port the endpoint is listening on.

security_group_allowing_public_access Optional[SecurityGroup]

A security group that allows access from the internet. This value will be None when this resource is not accessible from the internet.

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process