Add flag for excluding ECR accounts

This introduces the flag `--registry-ecr-exclude-id`, and renames
`--registry-ecr-account-id` to `--registry-ecr-include-id` for
consistency.

Oddly, `--registry-ecr-exclude-id` is most useful when you don't
supply it, or its "include" sibling, since then fluxd will scan
everything except the registry used for EKS system images (which will
always fail, so far as I can determine).

cmd/fluxd/main.go

@@ -107,8 +107,9 @@ func main() {
 		registryInsecure     = fs.StringSlice("registry-insecure-host", []string{}, "use HTTP for this image registry domain (e.g., registry.cluster.local), instead of HTTPS")
 
 		// AWS authentication
-		registryAWSRegions    = fs.StringSlice("registry-ecr-region", nil, "Restrict ECR scanning to these AWS regions; if empty, only the cluster's region will be scanned")
-		registryAWSAccountIDs = fs.StringSlice("registry-ecr-account-id", nil, "Restrict ECR scanning to these AWS account IDs; if empty, there will be no restriction")
+		registryAWSRegions         = fs.StringSlice("registry-ecr-region", nil, "Restrict ECR scanning to these AWS regions; if empty, only the cluster's region will be scanned")
+		registryAWSAccountIDs      = fs.StringSlice("registry-ecr-include-id", nil, "Restrict ECR scanning to these AWS account IDs; if empty, all account IDs that aren't excluded may be scanned")
+		registryAWSBlockAccountIDs = fs.StringSlice("registry-ecr-exclude-id", []string{registry.EKS_SYSTEM_ACCOUNT}, "Do not scan ECR for images in these AWS account IDs; the default is to exclude the EKS system account")
 
 		// k8s-secret backed ssh keyring configuration
 		k8sSecretName            = fs.String("k8s-secret-name", "flux-git-deploy", "Name of the k8s secret used to store the private SSH key")
@@ -277,6 +278,7 @@ func main() {
 		awsConf := registry.AWSRegistryConfig{
 			Regions:    *registryAWSRegions,
 			AccountIDs: *registryAWSAccountIDs,
+			BlockIDs:   *registryAWSBlockAccountIDs,
 		}
 		credsWithAWSAuth, err := registry.ImageCredsWithAWSAuth(imageCreds, log.With(logger, "component", "aws"), awsConf)
 		if err != nil {

registry/aws.go

@@ -25,11 +25,14 @@ const (
 	defaultTokenValid = 12 * time.Hour
 	// how long to skip refreshing a region after we've failed
 	embargoDuration = 10 * time.Minute
+
+	EKS_SYSTEM_ACCOUNT = "602401143452"
 )
 
 type AWSRegistryConfig struct {
 	Regions    []string
 	AccountIDs []string
+	BlockIDs   []string
 }
 
 func contains(strs []string, str string) bool {
@@ -74,7 +77,8 @@ func ImageCredsWithAWSAuth(lookup func() ImageCreds, logger log.Logger, config A
 
 	logger.Log("info", "restricting ECR registry scans",
 		"regions", strings.Join(config.Regions, ", "),
-		"account-ids", strings.Join(config.AccountIDs, ", "))
+		"include-ids", strings.Join(config.AccountIDs, ", "),
+		"exclude-ids", strings.Join(config.BlockIDs, ", "))
 
 	// this has the expiry time from the last request made per region. We request new tokens whenever
 	//  - we don't have credentials for the particular registry URL
@@ -90,12 +94,14 @@ func ImageCredsWithAWSAuth(lookup func() ImageCreds, logger log.Logger, config A
 	// should this registry be scanned?
 	var shouldScan func(string, string) bool
 	if len(config.AccountIDs) == 0 {
-		shouldScan = func(region, _ string) bool {
-			return contains(config.Regions, region)
+		shouldScan = func(region, accountID string) bool {
+			return contains(config.Regions, region) && !contains(config.BlockIDs, accountID)
 		}
 	} else {
 		shouldScan = func(region, accountID string) bool {
-			return contains(config.Regions, region) && contains(config.AccountIDs, accountID)
+			return contains(config.Regions, region) &&
+				contains(config.AccountIDs, accountID) &&
+				!contains(config.BlockIDs, accountID)
 		}
 	}
 

site/daemon.md

@@ -75,7 +75,8 @@ fluxd requires setup and offers customization though a multitude of flags.
 |--registry-insecure-host| []         | registry hosts to use HTTP for (instead of HTTPS) |
 |--docker-config         | `""`       | path to a Docker config file with default image registry credentials |
 |--registry-ecr-region   | `[]`       | Allow these AWS regions when scanning images from ECR (multiple values alllowed); defaults to the detected cluster region |
-|--registry-ecr-account-id | `[]`       | Allow these AWS account ID(s) when scanning images in ECR (multiple values allowed); empty means no restriction |
+|--registry-ecr-include-id | `[]`       | Include these AWS account ID(s) when scanning images in ECR (multiple values allowed); empty means allow all, unless excluded |
+|--registry-ecr-exclude-id | `[<EKS SYSTEM ACCOUNT>]` | Exclude these AWS account ID(s) when scanning ECR (multiple values allowed); defaults to the EKS system account, so system images will not be scanned |
 |**k8s-secret backed ssh keyring configuration**      |  | |
 |--k8s-secret-name       | `flux-git-deploy`               | name of the k8s secret used to store the private SSH key|
 |--k8s-secret-volume-mount-path | `/etc/fluxd/ssh`         | mount location of the k8s secret storing the private SSH key|