Skip to content

Commit 4287697

Browse files
christophetdchristophetd
committed
Initial support for EKS Pod Identity
1 parent 654e898 commit 4287697

File tree

4 files changed

+247
-448
lines changed

4 files changed

+247
-448
lines changed

cmd/managed-kubernetes-auditing-toolkit/eks/role_relationships.go

Lines changed: 22 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ import (
2222
var outputFormat string
2323
var outputFile string
2424
var eksClusterName string
25+
var showFullRoleArns bool
2526

2627
// Output formats
2728
const (
@@ -63,7 +64,7 @@ func buildEksRoleRelationshipsCommand() *cobra.Command {
6364
eksRoleRelationshipsCommand.Flags().StringVarP(&outputFormat, "output-format", "f", DefaultOutputFormat, "Output format. Supported formats: "+strings.Join(availableOutputFormats, ", "))
6465
eksRoleRelationshipsCommand.Flags().StringVarP(&outputFile, "output-file", "o", "", "Output file. If not specified, output will be printed to stdout.")
6566
eksRoleRelationshipsCommand.Flags().StringVarP(&eksClusterName, "eks-cluster-name", "", "", "When the EKS cluster name cannot be automatically detected from your KubeConfig, specify this argument to pass the EKS cluster name of your current kubectl context")
66-
67+
eksRoleRelationshipsCommand.Flags().BoolVarP(&showFullRoleArns, "show-full-role-arns", "", false, "Show full ARNs of roles instead of just the role name")
6768
return eksRoleRelationshipsCommand
6869
}
6970

@@ -118,15 +119,15 @@ func getTextOutput(resolver *role_relationships.EKSCluster) (string, error) {
118119
{Number: 2, AutoMerge: true, VAlign: text.VAlignMiddle},
119120
{Number: 3, AutoMerge: true, VAlign: text.VAlignMiddle},
120121
})
121-
t.AppendHeader(table.Row{"Namespace", "Service Account", "Pod", "Assumable Role ARN"})
122+
t.AppendHeader(table.Row{"Namespace", "Service Account", "Pod", "Assumable Role ARN", "Mechanism"})
122123
var found = false
123124
for namespace, pods := range resolver.PodsByNamespace {
124125
for _, pod := range pods {
125126
if pod.ServiceAccount == nil || len(pod.ServiceAccount.AssumableRoles) == 0 {
126127
continue
127128
}
128129
for _, role := range pod.ServiceAccount.AssumableRoles {
129-
t.AppendRow([]interface{}{namespace, pod.ServiceAccount.Name, pod.Name, role.Arn})
130+
t.AppendRow([]interface{}{namespace, pod.ServiceAccount.Name, pod.Name, getRoleDisplayName(role.IAMRole), role.Reason})
130131
found = true
131132
}
132133
}
@@ -146,6 +147,7 @@ type Vertex struct {
146147
func (v *Vertex) GetID() int {
147148
return v.ID
148149
}
150+
149151
func getDotOutput(resolver *role_relationships.EKSCluster) (string, error) {
150152
graphAst, _ := gographviz.ParseString(`digraph G { }`)
151153
graphViz := gographviz.NewGraph()
@@ -179,8 +181,7 @@ func getDotOutput(resolver *role_relationships.EKSCluster) (string, error) {
179181
"fontsize": "12",
180182
})
181183
for _, role := range pod.ServiceAccount.AssumableRoles {
182-
parsedArn, _ := arn.Parse(role.Arn)
183-
roleLabel := fmt.Sprintf(`"IAM role %s"`, strings.Split(parsedArn.Resource, "/")[1])
184+
roleLabel := fmt.Sprintf(`"IAM role %s"`, getRoleName(role.IAMRole))
184185
graphViz.AddNode("G", roleLabel, map[string]string{
185186
"fontname": "Helvetica",
186187
"shape": "box",
@@ -204,19 +205,20 @@ func getDotOutput(resolver *role_relationships.EKSCluster) (string, error) {
204205

205206
func getCsvOutput(resolver *role_relationships.EKSCluster) (string, error) {
206207
sb := new(strings.Builder)
207-
sb.WriteString("namespace,pod,service_account,role_arn")
208+
sb.WriteString("namespace,pod,service_account,role_arn,reason")
208209
for namespace, pods := range resolver.PodsByNamespace {
209210
for _, pod := range pods {
210211
if pod.ServiceAccount == nil || len(pod.ServiceAccount.AssumableRoles) == 0 {
211212
continue
212213
}
213214
for _, role := range pod.ServiceAccount.AssumableRoles {
214215
sb.WriteString(fmt.Sprintf(
215-
"%s,%s,%s,%s",
216+
"%s,%s,%s,%s,%s",
216217
namespace,
217218
pod.Name,
218219
pod.ServiceAccount.Name,
219-
role.Arn,
220+
getRoleDisplayName(role.IAMRole),
221+
role.Reason,
220222
))
221223
sb.WriteRune('\n')
222224
}
@@ -225,3 +227,15 @@ func getCsvOutput(resolver *role_relationships.EKSCluster) (string, error) {
225227

226228
return sb.String(), nil
227229
}
230+
231+
func getRoleDisplayName(role *role_relationships.IAMRole) string {
232+
if showFullRoleArns {
233+
return role.Arn
234+
}
235+
return getRoleName(role)
236+
}
237+
238+
func getRoleName(role *role_relationships.IAMRole) string {
239+
parsedArn, _ := arn.Parse(role.Arn)
240+
return strings.Split(parsedArn.Resource, "/")[1]
241+
}

go.mod

Lines changed: 16 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -4,12 +4,13 @@ go 1.19
44

55
require (
66
github.com/awalterschulze/gographviz v2.0.3+incompatible
7-
github.com/aws/aws-sdk-go-v2 v1.17.6
8-
github.com/aws/aws-sdk-go-v2/config v1.18.16
9-
github.com/aws/aws-sdk-go-v2/service/eks v1.27.6
10-
github.com/aws/aws-sdk-go-v2/service/iam v1.19.5
7+
github.com/aws/aws-sdk-go-v2 v1.23.1
8+
github.com/aws/aws-sdk-go-v2/config v1.25.6
9+
github.com/aws/aws-sdk-go-v2/service/eks v1.34.1
10+
github.com/aws/aws-sdk-go-v2/service/iam v1.27.4
1111
github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be
1212
github.com/fatih/color v1.15.0
13+
github.com/hashicorp/go-version v1.6.0
1314
github.com/jedib0t/go-pretty/v6 v6.4.6
1415
github.com/spf13/cobra v1.6.1
1516
github.com/stretchr/testify v1.8.0
@@ -21,68 +22,51 @@ require (
2122
)
2223

2324
require (
24-
github.com/aws/aws-sdk-go-v2/credentials v1.13.16 // indirect
25-
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.24 // indirect
26-
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.30 // indirect
27-
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.24 // indirect
28-
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.31 // indirect
29-
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.24 // indirect
30-
github.com/aws/aws-sdk-go-v2/service/sso v1.12.5 // indirect
31-
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.5 // indirect
32-
github.com/aws/aws-sdk-go-v2/service/sts v1.18.6 // indirect
33-
github.com/aws/smithy-go v1.13.5 // indirect
25+
github.com/aws/aws-sdk-go-v2/credentials v1.16.5 // indirect
26+
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.5 // indirect
27+
github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.4 // indirect
28+
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.4 // indirect
29+
github.com/aws/aws-sdk-go-v2/internal/ini v1.7.1 // indirect
30+
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.1 // indirect
31+
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.4 // indirect
32+
github.com/aws/aws-sdk-go-v2/service/sso v1.17.4 // indirect
33+
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.20.2 // indirect
34+
github.com/aws/aws-sdk-go-v2/service/sts v1.25.5 // indirect
35+
github.com/aws/smithy-go v1.17.0 // indirect
3436
github.com/davecgh/go-spew v1.1.1 // indirect
3537
github.com/emicklei/go-restful/v3 v3.9.0 // indirect
36-
github.com/emirpasic/gods v1.12.0 // indirect
3738
github.com/go-logr/logr v1.2.3 // indirect
3839
github.com/go-openapi/jsonpointer v0.19.5 // indirect
3940
github.com/go-openapi/jsonreference v0.20.0 // indirect
4041
github.com/go-openapi/swag v0.19.14 // indirect
4142
github.com/gogo/protobuf v1.3.2 // indirect
42-
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
4343
github.com/golang/protobuf v1.5.2 // indirect
4444
github.com/google/gnostic v0.5.7-v3refs // indirect
4545
github.com/google/go-cmp v0.5.9 // indirect
46-
github.com/google/go-licenses v1.6.0 // indirect
4746
github.com/google/gofuzz v1.1.0 // indirect
48-
github.com/google/licenseclassifier v0.0.0-20210722185704-3043a050f148 // indirect
4947
github.com/imdario/mergo v0.3.6 // indirect
5048
github.com/inconshreveable/mousetrap v1.0.1 // indirect
51-
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
5249
github.com/jmespath/go-jmespath v0.4.0 // indirect
5350
github.com/josharian/intern v1.0.0 // indirect
5451
github.com/json-iterator/go v1.1.12 // indirect
55-
github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd // indirect
5652
github.com/mailru/easyjson v0.7.6 // indirect
5753
github.com/mattn/go-colorable v0.1.13 // indirect
5854
github.com/mattn/go-isatty v0.0.17 // indirect
5955
github.com/mattn/go-runewidth v0.0.13 // indirect
60-
github.com/mitchellh/go-homedir v1.1.0 // indirect
6156
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
6257
github.com/modern-go/reflect2 v1.0.2 // indirect
6358
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
64-
github.com/otiai10/copy v1.6.0 // indirect
6559
github.com/pmezard/go-difflib v1.0.0 // indirect
6660
github.com/rivo/uniseg v0.2.0 // indirect
67-
github.com/sergi/go-diff v1.2.0 // indirect
6861
github.com/spf13/pflag v1.0.5 // indirect
69-
github.com/src-d/gcfg v1.4.0 // indirect
70-
github.com/xanzy/ssh-agent v0.2.1 // indirect
71-
go.opencensus.io v0.23.0 // indirect
72-
golang.org/x/crypto v0.1.0 // indirect
73-
golang.org/x/mod v0.7.0 // indirect
7462
golang.org/x/net v0.7.0 // indirect
7563
golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2 // indirect
7664
golang.org/x/sys v0.6.0 // indirect
7765
golang.org/x/text v0.7.0 // indirect
7866
golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
79-
golang.org/x/tools v0.5.0 // indirect
8067
google.golang.org/appengine v1.6.7 // indirect
8168
google.golang.org/protobuf v1.28.1 // indirect
8269
gopkg.in/inf.v0 v0.9.1 // indirect
83-
gopkg.in/src-d/go-billy.v4 v4.3.2 // indirect
84-
gopkg.in/src-d/go-git.v4 v4.13.1 // indirect
85-
gopkg.in/warnings.v0 v0.1.2 // indirect
8670
gopkg.in/yaml.v2 v2.4.0 // indirect
8771
gopkg.in/yaml.v3 v3.0.1 // indirect
8872
k8s.io/klog/v2 v2.80.1 // indirect

0 commit comments

Comments
 (0)