krane
krane copied to clipboard
appvia
Noise report using cloud providers
Hi! I'm using an EKS cluster version 1.24, with Krane, It was installed Krane v0.1.1 release, using the helm installation.
Using the krane report --incluster
In the report generated by krane is mapped as danger default RBAC resources from EKS, this cause noise in the report.
I would like to see your opinion about this topic, I suppose that will be the same for GKE, AKS or OpenShift. Thank you.
Result:
{
"summary": {
"danger": 9,
"warning": 9,
"info": 1,
"success": 35
},
"results": [
{
"id": "risky-any-resource-list",
"status": "danger",
"group_title": "Risky Roles/ClusterRoles allowing list action on all resources",
"info": "Roles/ClusterRoles allowing list action on all resources. This might be dangerous. Review listed
Roles!",
"items": [
"ClusterRole aws-node in * namespace(s)",
"ClusterRole eks:addon-manager in * namespace(s)",
"ClusterRole ks-sa-roles in * namespace(s)",
]
},
This is certainly something that could be improved. As it stands the tool doesn't distinguish between vendor specific roles and custom roles. In the meantime you could perhaps look at whitelists. Bear in mind that currently helm doesn't support option for passing custom configuration files at install time. There is a PR opened around that though (#253) so the ability to pass these things in should land soon.
