fix: Avoid listing PodSecurityPolicys on versions greater than 1.25…

… since those have been removed

eksup/Cargo.toml

@@ -37,8 +37,8 @@ clap-verbosity-flag = "2.0"
 handlebars = { version = "4.3", features = ["rust-embed"] }
 itertools = "0.11"
 # https://kube.rs/kubernetes-version/
-k8s-openapi = { version = "0.18.0", default-features = false, features = ["v1_22"] }
-kube = { version = "0.83.0", default-features = false, features = [ "client", "derive", "rustls-tls" ] }
+k8s-openapi = { version = "0.18.0", default-features = false, features = ["v1_23"] }
+kube = { version = "0.84.0", default-features = false, features = [ "client", "derive", "rustls-tls" ] }
 rust-embed = { version = "6.4", features = ["compression"] }
 schemars = "0.8"
 seq-macro = "0.3"

eksup/src/k8s/findings.rs

@@ -45,7 +45,7 @@ pub async fn get_kubernetes_findings(
  .iter()
  .filter_map(|s| s.docker_socket(target_version))
  .collect();
- let pod_security_policy = resources::get_podsecuritypolicies(client, target_version).await?;
+ let pod_security_policy = resources::get_podsecuritypolicies(client, target_version, cluster_version).await?;
  let kube_proxy_version_skew = checks::kube_proxy_version_skew(&nodes, &resources).await?;
 
  Ok(KubernetesFindings {

eksup/src/k8s/resources.rs

@@ -1,6 +1,6 @@
 use std::collections::BTreeMap;
 
-use anyhow::Result;
+use anyhow::{Context, Result};
 use k8s_openapi::api::{
  apps, batch,
  core::{self, v1::PodTemplateSpec},
@@ -10,6 +10,7 @@ use kube::{api::Api, Client, CustomResource};
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use tabled::Tabled;
+use tracing::warn;
 
 use crate::{finding, k8s::checks, version};
 
@@ -71,7 +72,7 @@ pub struct Node {
 
 pub async fn get_nodes(client: &Client) -> Result<Vec<Node>> {
  let api: Api<core::v1::Node> = Api::all(client.to_owned());
- let node_list = api.list(&Default::default()).await?;
+ let node_list = api.list(&Default::default()).await.context("Failed to list Nodes")?;
 
  Ok(
  node_list
@@ -99,14 +100,23 @@ pub async fn get_nodes(client: &Client) -> Result<Vec<Node>> {
 /// available IPs in the subnet(s) when custom networking is enabled
 pub async fn get_eniconfigs(client: &Client) -> Result<Vec<ENIConfig>> {
  let api = Api::<ENIConfig>::all(client.to_owned());
- let eniconfigs: Vec<ENIConfig> = api.list(&Default::default()).await?.items;
+ let eniconfigs = match api.list(&Default::default()).await {
+ Ok(eniconfigs) => eniconfigs.items,
+ Err(_) => {
+ warn!("Failed to list ENIConfigs");
+ vec![]
+ },
+ };
 
  Ok(eniconfigs)
 }
 
 async fn get_deployments(client: &Client) -> Result<Vec<StdResource>> {
  let api: Api<apps::v1::Deployment> = Api::all(client.to_owned());
- let deployment_list = api.list(&Default::default()).await?;
+ let deployment_list = api
+ .list(&Default::default())
+ .await
+ .context("Failed to list Deployments")?;
 
  let deployments = deployment_list
  .items
@@ -143,7 +153,10 @@ async fn get_deployments(client: &Client) -> Result<Vec<StdResource>> {
 
 async fn get_replicasets(client: &Client) -> Result<Vec<StdResource>> {
  let api: Api<apps::v1::ReplicaSet> = Api::all(client.to_owned());
- let replicaset_list = api.list(&Default::default()).await?;
+ let replicaset_list = api
+ .list(&Default::default())
+ .await
+ .context("Failed to list ReplicaSets")?;
 
  let replicasets = replicaset_list
  .items
@@ -183,7 +196,10 @@ async fn get_replicasets(client: &Client) -> Result<Vec<StdResource>> {
 
 async fn get_statefulsets(client: &Client) -> Result<Vec<StdResource>> {
  let api: Api<apps::v1::StatefulSet> = Api::all(client.to_owned());
- let statefulset_list = api.list(&Default::default()).await?;
+ let statefulset_list = api
+ .list(&Default::default())
+ .await
+ .context("Failed to list StatefulSets")?;
 
  let statefulsets = statefulset_list
  .items
@@ -220,7 +236,10 @@ async fn get_statefulsets(client: &Client) -> Result<Vec<StdResource>> {
 
 async fn get_daemonsets(client: &Client) -> Result<Vec<StdResource>> {
  let api: Api<apps::v1::DaemonSet> = Api::all(client.to_owned());
- let daemonset_list = api.list(&Default::default()).await?;
+ let daemonset_list = api
+ .list(&Default::default())
+ .await
+ .context("Failed to list DaemonSets")?;
 
  let daemonsets = daemonset_list
  .items
@@ -257,7 +276,7 @@ async fn get_daemonsets(client: &Client) -> Result<Vec<StdResource>> {
 
 async fn get_jobs(client: &Client) -> Result<Vec<StdResource>> {
  let api: Api<batch::v1::Job> = Api::all(client.to_owned());
- let job_list = api.list(&Default::default()).await?;
+ let job_list = api.list(&Default::default()).await.context("Failed to list Jobs")?;
 
  let jobs = job_list
  .items
@@ -297,7 +316,7 @@ async fn get_jobs(client: &Client) -> Result<Vec<StdResource>> {
 
 async fn get_cronjobs(client: &Client) -> Result<Vec<StdResource>> {
  let api: Api<batch::v1::CronJob> = Api::all(client.to_owned());
- let cronjob_list = api.list(&Default::default()).await?;
+ let cronjob_list = api.list(&Default::default()).await.context("Failed to list CronJobs")?;
 
  let cronjobs = cronjob_list
  .items
@@ -344,9 +363,19 @@ async fn get_cronjobs(client: &Client) -> Result<Vec<StdResource>> {
 pub(crate) async fn get_podsecuritypolicies(
  client: &Client,
  target_version: &str,
+ current_version: &str,
 ) -> Result<Vec<checks::PodSecurityPolicy>> {
+ let current_version = version::parse_minor(current_version)?;
+ if current_version <= 25 {
+ // Pod Security Policy support is removed starting in 1.25
+ return Ok(vec![]);
+ }
+
  let api: Api<policy::v1beta1::PodSecurityPolicy> = Api::all(client.to_owned());
- let psp_list = api.list(&Default::default()).await?;
+ let psp_list = api
+ .list(&Default::default())
+ .await
+ .context("Failed to list PodSecurityPolicies")?;
 
  let target_version = version::parse_minor(target_version)?;
  let remediation = if target_version >= 25 {
@@ -456,7 +485,7 @@ impl checks::K8sFindings for StdResource {
  fn min_ready_seconds(&self) -> Option<checks::MinReadySeconds> {
  let resource = self.get_resource();
 
- if vec![Kind::CronJob, Kind::DaemonSet, Kind::Job].contains(&resource.kind) {
+ if [Kind::CronJob, Kind::DaemonSet, Kind::Job].contains(&resource.kind) {
  return None;
  }
 

examples/eks-managed/main.tf

@@ -19,7 +19,7 @@ data "aws_availability_zones" "available" {}
 
 locals {
  name = "test-${basename(path.cwd)}"
- minor_version = 23
+ minor_version = 25
  region = "us-east-1"
 
  vpc_cidr = "10.0.0.0/16"
@@ -37,7 +37,7 @@ locals {
 
 module "eks" {
  source = "terraform-aws-modules/eks/aws"
- version = "~> 19.12"
+ version = "~> 19.15"
 
  cluster_name = local.name
  cluster_version = "1.${local.minor_version}"
@@ -81,7 +81,7 @@ module "eks" {
 
 module "vpc" {
  source = "terraform-aws-modules/vpc/aws"
- version = "~> 4.0"
+ version = "~> 5.0"
 
  name = local.name
  cidr = local.vpc_cidr

examples/eks-managed/versions.tf

@@ -4,11 +4,11 @@ terraform {
  required_providers {
  aws = {
  source = "hashicorp/aws"
- version = ">= 4.47"
+ version = ">= 5.0"
  }
  kubernetes = {
  source = "hashicorp/kubernetes"
- version = ">= 2.10"
+ version = ">= 2.20"
  }
  }
 }

examples/fargate-profile/main.tf

@@ -19,7 +19,7 @@ data "aws_availability_zones" "available" {}
 
 locals {
  name = "test-${basename(path.cwd)}"
- minor_version = 23
+ minor_version = 25
  region = "us-east-1"
 
  vpc_cidr = "10.0.0.0/16"
@@ -37,7 +37,7 @@ locals {
 
 module "eks" {
  source = "terraform-aws-modules/eks/aws"
- version = "~> 19.12"
+ version = "~> 19.15"
 
  cluster_name = local.name
  cluster_version = "1.${local.minor_version}"
@@ -75,7 +75,7 @@ module "eks" {
 
 module "vpc" {
  source = "terraform-aws-modules/vpc/aws"
- version = "~> 3.0"
+ version = "~> 5.0"
 
  name = local.name
  cidr = local.vpc_cidr

examples/fargate-profile/versions.tf

@@ -4,11 +4,11 @@ terraform {
  required_providers {
  aws = {
  source = "hashicorp/aws"
- version = ">= 4.47"
+ version = ">= 5.0"
  }
  kubernetes = {
  source = "hashicorp/kubernetes"
- version = ">= 2.10"
+ version = ">= 2.20"
  }
  }
 }

examples/mixed/main.tf

@@ -33,7 +33,7 @@ data "aws_availability_zones" "available" {}
 
 locals {
  name = "test-${basename(path.cwd)}"
- minor_version = 23
+ minor_version = 25
  region = "us-east-1"
 
  vpc_cidr_nodes = "10.0.0.0/16"
@@ -52,27 +52,28 @@ locals {
 
 module "eks" {
  source = "terraform-aws-modules/eks/aws"
- version = "~> 19.12"
+ version = "~> 19.15"
 
  cluster_name = local.name
  cluster_version = "1.${local.minor_version}"
  cluster_endpoint_public_access = true
 
  cluster_addons = {
  coredns = {
- # aws eks describe-addon-versions --kubernetes-version 1.21 --addon-name coredns
+ # aws eks describe-addon-versions --kubernetes-version 1.25 --addon-name coredns --query 'addons[*].addonVersions[*].addonVersion'
  addon_version = "v1.8.4-eksbuild.2"
  configuration_values = jsonencode({
  computeType = "Fargate"
  })
  }
  kube-proxy = {
- # aws eks describe-addon-versions --kubernetes-version 1.21 --addon-name kube-proxy
- addon_version = "v1.21.14-eksbuild.3"
+ # aws eks describe-addon-versions --kubernetes-version 1.25 --addon-name kube-proxy --query 'addons[*].addonVersions[*].addonVersion'
+ addon_version = "v1.23.15-eksbuild.1"
  }
  vpc-cni = {
- # aws eks describe-addon-versions --kubernetes-version 1.21 --addon-name vpc-cni
- addon_version = "v1.11.3-eksbuild.3"
+ # aws eks describe-addon-versions --kubernetes-version 1.25 --addon-name vpc-cni --query 'addons[*].addonVersions[*].addonVersion'
+ addon_version = "v1.11.5-eksbuild.1"
+ before_compute = true
  configuration_values = jsonencode({
  env = {
  # Reference https://aws.github.io/aws-eks-best-practices/reliability/docs/networkmanagement/#cni-custom-networking
@@ -99,10 +100,10 @@ module "eks" {
  eks_managed_node_groups = {
  # This uses a custom launch template (custom as in module/user supplied)
  standard = {
- pre_bootstrap_user_data = <<-EOT
- #!/bin/bash
- echo "Hello from user data!"
- EOT
+ # pre_bootstrap_user_data = <<-EOT
+ #  #!/bin/bash
+ #  echo "Hello from user data!"
+ # EOT
 
  # To show pending changes
  update_launch_template_default_version = false
@@ -131,10 +132,10 @@ module "eks" {
  }
 
  different = {
- pre_bootstrap_user_data = <<-EOT
- #!/bin/bash
- echo "Hello from user data!"
- EOT
+ # pre_bootstrap_user_data = <<-EOT
+ #  #!/bin/bash
+ #  echo "Hello from user data!"
+ # EOT
 
  # To show pending changes
  instance_refresh = {}
@@ -182,7 +183,7 @@ resource "kubectl_manifest" "eni_config" {
 
 module "vpc" {
  source = "terraform-aws-modules/vpc/aws"
- version = "~> 4.0"
+ version = "~> 5.0"
 
  name = local.name
  cidr = local.vpc_cidr_nodes

examples/mixed/versions.tf

@@ -4,11 +4,11 @@ terraform {
  required_providers {
  aws = {
  source = "hashicorp/aws"
- version = ">= 4.47"
+ version = ">= 5.0"
  }
  kubernetes = {
  source = "hashicorp/kubernetes"
- version = ">= 2.10"
+ version = ">= 2.20"
  }
  kubectl = {
  source = "gavinbunney/kubectl"

examples/self-managed/main.tf

@@ -19,7 +19,7 @@ data "aws_availability_zones" "available" {}
 
 locals {
  name = "test-${basename(path.cwd)}"
- minor_version = 23
+ minor_version = 25
  region = "us-east-1"
 
  vpc_cidr = "10.0.0.0/16"
@@ -37,7 +37,7 @@ locals {
 
 module "eks" {
  source = "terraform-aws-modules/eks/aws"
- version = "~> 19.5"
+ version = "~> 19.15"
 
  cluster_name = local.name
  cluster_version = "1.${local.minor_version}"
@@ -81,7 +81,7 @@ module "eks" {
 
 module "vpc" {
  source = "terraform-aws-modules/vpc/aws"
- version = "~> 3.0"
+ version = "~> 5.0"
 
  name = local.name
  cidr = local.vpc_cidr

examples/self-managed/versions.tf

@@ -4,11 +4,11 @@ terraform {
  required_providers {
  aws = {
  source = "hashicorp/aws"
- version = ">= 4.47"
+ version = ">= 5.0"
  }
  kubernetes = {
  source = "hashicorp/kubernetes"
- version = ">= 2.10"
+ version = ">= 2.20"
  }
  }
 }