Philip Laine
Philip Laine
This change will force all nodes to enable encryption at rest. Two current issues with enabling this. One is that it will require node recreation, the other is that it...
The Docker image used to apply the Terraform modules lives in another repository. https://github.com/XenitAB/github-actions Issues occur when we update dependency versions like tfsec and tflint here but not in the...
https://kubernetes.github.io/ingress-nginx/deploy/hardening-guide/
This changes fixes the following TFSec warnings. https://aquasecurity.github.io/tfsec/v1.8.0/checks/aws/autoscaling/enforce-http-token-imds/ https://aquasecurity.github.io/tfsec/v1.8.0/checks/aws/cloudwatch/log-group-customer-key/ The first one has to be verified that it actually works with IRSA.
It seems like it is possible to add additional OIDC providers to an EKS cluster, according to this comment. https://github.com/aws/amazon-eks-pod-identity-webhook/issues/23#issuecomment-1046088690 Here is some documentation and the Terraform resource to configure...
We should consider setting the Gatekeeper failure policy to fail instead of ignore. This has some consequences that we need to understand and document. https://open-policy-agent.github.io/gatekeeper/website/docs/failing-closed
This change will add a network policy to all platform namespaces and then additional polices to allow traffic that is required. There are currently two limitations with this solution which...
New support has been added in Terraform to disable local accounts. We should use this in all deployments to limit how access can be gained to the cluster. https://github.com/hashicorp/terraform-provider-azurerm/issues/13248
We should consider implementing the recommended fixes for this. https://groups.google.com/g/kubernetes-announce/c/aXolwNe_KT4/m/HKK3174yAQAJ