updated 4.1.5

controls/eks-cis-4.1.1.rb

@@ -50,11 +50,14 @@
 
   cluster_admin_principals = command("kubectl get clusterrolebindings cluster-admin --no-headers -o=custom-columns=':.subjects[*].name'").stdout.gsub("\r", '').split("\n")
 
-  if cluster_admin_principals?
-    cluster_admin_principals.each do |principal|
-      describe 'Cluster role bindings should restrict access to cluster-admin role' do
-        subject { principal }
-        it { should be_in allowed_cluster_admin_principals }
+  if cluster_admin_principals != []
+    noncompliant_principals = cluster_admin_principals.filter_map { |principal|
+      principal if allowed_cluster_admin_principals.include?(principal)
+    }
+    describe "The cluster-admin role" do 
+      it "should only be available to allowlisted principals" do
+        fail_msg = "Principals who are not on the allowlist but have admin privs: #{noncompliant_principals}"
+        expect(noncompliant_principals).to be_empty, fail_msg
       end
     end
   else

controls/eks-cis-4.1.5.rb

@@ -51,7 +51,28 @@
   tag cis_controls: ['5.2', 'Rev_7']
   tag cis_rid: '4.1.5'
 
-  describe 'Manual control' do
-    skip 'Manual review of service accounts should be conducted to ensure they do not have excessive role bindings'
+  bindings = json(command:"kubectl get rolebinding,clusterrolebinding --all-namespaces -o json").params['items']
+
+  bindings.each do |binding|
+
+    subjects = binding['subjects']
+    next if subjects.nil?
+    sa = subjects.find { |x| x['kind'] == 'ServiceAccount'}
+    next if sa.nil?
+
+    describe "Service account for clusterrolebinding: #{binding['roleRef']['name']}" do
+      subject { sa['name'] }
+      it { should_not eq 'default' }
+    end
+  end
+
+  service_accounts = json(command:"kubectl get serviceaccount -A -o json").params['items']
+
+  service_accounts.each do |sa|
+    next unless sa['metadata']['name'].eql?('default')
+    describe "Default service account in namespace:#{sa['metadata']['namespace']}" do
+      subject { sa }
+      its(['automountServiceAccountToken']) { should cmp 'false'}
+    end
   end
 end

controls/eks-cis-4.3.2.rb

@@ -42,20 +42,23 @@
 
   namespaces = command('kubectl get namespace -o=custom-columns=:.metadata.name --no-headers').stdout.split
 
-  if namespaces?
-    namespaces.each do |namespace|
-      namespace_network_policy = command(
+  if namespaces != []
+    # filter for the namespaces that do not have a defined network policy (i.e. checking for the policy returns empty string)
+    noncompliant_namespaces = namespaces.filter_map { |namespace| 
+      namespace if command(
         "kubectl get networkpolicy -n #{namespace} -o=custom-columns=:.metadata.name --no-headers"
-      ).stdout
-      describe "Namespace \"#{namespace}\" should have a defined network policy, network policy query result" do
-        subject { namespace_network_policy }
-        it { should_not be_empty }
+      ).stdout == ""
+    }
+    describe "Each namespace" do
+      it "should have a defined network policy" do 
+        fail_msg = "Namespaces with missing network policies: #{noncompliant_namespaces}"
+        expect(noncompliant_namespaces).to be_empty, fail_msg
       end
     end
   else
-    describe 'Query for namespaces failed' do
+    describe 'No namespaces defined' do
       subject { namespaces }
-      it { should exist }
+      it { should_not eq [] }
     end
   end
 end

inspec.yml

@@ -12,15 +12,13 @@ inputs:
     description: "The name of the EKS cluster under test"
     type: String
     required: true
-    value: ""
-    # ex. "my-test-cluster"
+    # value: "my-test-cluster-name"
 
   - name: cluster-region
     description: "The region hosting the EKS cluster under test"
     type: String
     required: true
-    value: ""
-    # ex. "us-east-1"
+    # value: "us-east-1"
 
   # 4.1.1
   - name: allowed_cluster_admin_principals
@@ -33,5 +31,4 @@ inputs:
   - name: allowlist_cidr_blocks
     description: "IPs from within these CIDR blocks should be the only ones allowed to access the cluster via k8s API from outside the VPC"
     type: Array
-    value:
-    # ex. ["0.0.0.0/0"]
+    # value: ["0.0.0.0/0"]