Skip to content

Security Improvement's associated with Jira Task CSI-1647 #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jun 19, 2025
Merged

Security Improvement's associated with Jira Task CSI-1647 #20

merged 4 commits into from
Jun 19, 2025

Conversation

neoakris
Copy link
Collaborator

Summary of Changes:

  1. Replaced execSync with shelljs
    • supposed to be trivially more secure
    • noteworthy improvement is before only stdout of commands was accessible. Now stderr & exit codes are also accessible/usable, which can make any if statement logic more reliable.
  2. Security Improvement:
    • Removed: AWS Account root (as in any authenticated user/role within account) assumable eks cluster admin method (insecure default built into cdk's eks masterrole logic) has been removed.
      Here's what the output used to look like: 
      Outputs:
dev1-eks.dev1eksConfigCommand9B300592 = aws eks update-kubeconfig --name dev1-eks --region ca-central-1 --role-arn arn:aws:iam::905418347382:role/dev1-eks-assumableEKSAdminAccessRoleC284FA0F-F22KjKQrjLpO
    • Replaced with: Only allowing cluster admin access to IAM ARN List of Whitelisted Cluster Admins (and convenience logic to add the user/role running cdk deploy dev1-eks to said list to maintain similar UX to what originally existed.)
      Here's what the output now looks like: (quickstart doc was updated to reflect) 
      Outputs:
dev1-eks.iamWhitelistedKubeConfigCmd = aws eks update-kubeconfig --region ca-central-1 --name dev1-eks
  3. Edge Case Bug Fix:
    • Duplicate Entries of config.addClusterAdminARN(arn:aws:iam::111122223333:user/example);
      would cause crash. Logic to prevent duplicates has been added.
    • Duplicate Entires of config.addClusterViewerAccount(process.env.CDK_DEFAULT_ACCOUNT!);
      would not cause any crash, nor issues, but it would result in duplicate entries in aws-auth configmap. Added logic to prevent duplicates here as well even though didn't hurt.
    • Verified tag duplicates were non-issue.

neoakris added 4 commits June 18, 2025 14:44
@neoakris
replaced execSync with shelljs, which is slightly safer and makes it …
9f79d4c 
…possible to check exit codes & stderr
@neoakris
Security Improvement: stoped use of cdk_eks's aws_account_root, as in…
5c41c17 
… any user/role within account being able to role assume to eks admin. Replaced with IAM whitelisting, while maintaining similar UX. Output has changed a bit though.
@neoakris
added logic to avoid duplicate cluster admin entries which caused cra…
a7a127b 
…sh, also avoided duplicate read only account list which wasn't actually an issue, and verified duplicate tags are a non-issue.
@neoakris
updated output expectations in quickstart, based on security udpate
9244758
@neoakris neoakris self-assigned this Jun 19, 2025
@neoakris neoakris merged commit e33008b into integration Jun 19, 2025
@neoakris neoakris deleted the CSI-1647 branch June 19, 2025 01:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@neoakris neoakris

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@neoakris