Add ip[6]tables support for Pod Identity feature

cis-bottlerocket-benchmark-eks/bottlerocket-cis-bootstrap-image/bootstrap-script.sh

@@ -8,9 +8,13 @@ iptables -P INPUT DROP
 iptables -P OUTPUT DROP
 iptables -P FORWARD DROP
 
-# Allow inbound traffic for kubelet (so kubectl logs/exec works)
+# 3.4.1.1.1 Allow inbound traffic for kubelet (so kubectl logs/exec works)
 iptables -I INPUT -p tcp -m tcp --dport 10250 -j ACCEPT
 
+# 3.4.1.1.2 Allow inbound traffic to communicate with Pod Identity
+iptables -I INPUT -d 169.254.170.23/32 -p tcp -m tcp --dport 80 -m comment --comment "Allow communicate with Pod Identity" -j ACCEPT
+iptables -I INPUT -d 169.254.170.23/32 -p tcp -m tcp --dport 2703 -m comment --comment "Allow communicate with Pod Identity" -j ACCEPT
+
 # 3.4.1.2 Ensure IPv4 loopback traffic is configured (Automated)
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT
@@ -32,9 +36,13 @@ ip6tables -P INPUT DROP
 ip6tables -P OUTPUT DROP
 ip6tables -P FORWARD DROP
 
-# Allow inbound traffic for kubelet on ipv6 if needed (so kubectl logs/exec works)
+# 3.4.2.1.1 Allow inbound traffic for kubelet on ipv6 if needed (so kubectl logs/exec works)
 ip6tables -A INPUT -p tcp --destination-port 10250 -j ACCEPT
 
+# 3.4.2.1.2 Allow inbound traffic to communicate with Pod Identity
+ip6tables -I INPUT -d fd00:ec2::23/128 -p tcp -m tcp --dport 80 -m comment --comment "Allow communicate with Pod Identity" -j ACCEPT
+ip6tables -I INPUT -d fd00:ec2::23/128 -p tcp -m tcp --dport 2703 -m comment --comment "Allow communicate with Pod Identity" -j ACCEPT
+
 # 3.4.2.2 Ensure IPv6 loopback traffic is configured (Automated)
 ip6tables -A INPUT -i lo -j ACCEPT
 ip6tables -A OUTPUT -o lo -j ACCEPT

cis-bottlerocket-benchmark-eks/bottlerocket-cis-validating-image/validating-script.sh

@@ -8,7 +8,7 @@ echo "This tool validates the Amazon EKS optimized AMI against CIS Bottlerocket
 
 
 Num_Of_Checks_Passed=0
-Total_Num_Of_Checks=26
+Total_Num_Of_Checks=30
 
 function checkSysctlConfig()
 {
@@ -285,6 +285,33 @@ else
     echo "Error Message: inputChain=$inputChain ForwardChain=$ForwardChain OutputChain=$OutputChain"
 fi
 
+RECOMMENDATION="3.4.1.1.1 Allow inbound traffic for kubelet"
+InputKubeletAccept=$(iptables -L INPUT -v -n | grep "ACCEPT" | grep "dpt:10250")
+if [[ ! -z "$InputKubeletAccept" ]];
+then
+    echo "[PASS] $RECOMMENDATION"
+    Num_Of_Checks_Passed=$((Num_Of_Checks_Passed+1))
+else
+    echo "[FAIL] $RECOMMENDATION"
+    echo "Error Message: Rule for allowing inbound traffic for kubelet not found"
+fi
+#echo $InputKubeletAccept
+
+
+RECOMMENDATION="3.4.1.1.2 Allow inbound traffic to communicate with Pod Identity"
+InputPodIdentityAccept1=$(iptables -L INPUT -v -n | grep "ACCEPT" | grep "169.254.170.23" | grep "dpt:80")
+InputPodIdentityAccept2=$(iptables -L INPUT -v -n | grep "ACCEPT" | grep "169.254.170.23" | grep "dpt:2703")
+if [[ ! -z "$InputPodIdentityAccept1" ]] && [[ ! -z "$InputPodIdentityAccept2" ]];
+then
+    echo "[PASS] $RECOMMENDATION"
+    Num_Of_Checks_Passed=$((Num_Of_Checks_Passed+1))
+else
+    echo "[FAIL] $RECOMMENDATION"
+    echo "Error Message: Rule for allowing inbound traffic for Pod Identity not found"
+fi
+#echo $InputPodIdentityAccept
+
+
 RECOMMENDATION="3.4.1.2 Ensure IPv4 loopback traffic is configured (Automated)"
 InputAccept=$(iptables -L INPUT -v -n | grep "ACCEPT     all" | awk '{print $8}')
 if [[ -z "$InputAccept" ]];
@@ -396,6 +423,33 @@ else
 fi
 
 
+RECOMMENDATION="3.4.2.1.1 Allow inbound traffic for kubelet"
+InputKubeletAccept=$(ip6tables -L INPUT -v -n | grep "ACCEPT" | grep "dpt:10250")
+if [[ ! -z "$InputKubeletAccept" ]];
+then
+    echo "[PASS] $RECOMMENDATION"
+    Num_Of_Checks_Passed=$((Num_Of_Checks_Passed+1))
+else
+    echo "[FAIL] $RECOMMENDATION"
+    echo "Error Message: Rule for allowing inbound traffic for kubelet not found"
+fi
+#echo $InputKubeletAccept
+
+
+RECOMMENDATION="3.4.2.1.2 Allow inbound traffic to communicate with Pod Identity"
+InputPodIdentityAccept1=$(ip6tables -L INPUT -v -n | grep "ACCEPT" | grep "fd00:ec2::23" | grep "dpt:80")
+InputPodIdentityAccept2=$(ip6tables -L INPUT -v -n | grep "ACCEPT" | grep "fd00:ec2::23" | grep "dpt:2703")
+if [[ ! -z "$InputPodIdentityAccept1" ]] && [[ ! -z "$InputPodIdentityAccept2" ]];
+then
+    echo "[PASS] $RECOMMENDATION"
+    Num_Of_Checks_Passed=$((Num_Of_Checks_Passed+1))
+else
+    echo "[FAIL] $RECOMMENDATION"
+    echo "Error Message: Rule for allowing inbound traffic for Pod Identity not found"
+fi
+#echo $InputPodIdentityAccept
+
+
 RECOMMENDATION="3.4.2.2 Ensure IPv6 loopback traffic is configured (Automated)"
 InputAccept=$(ip6tables -L INPUT -v -n | grep "ACCEPT     all" | awk '{print $7}')
 if [[ -z "$InputAccept" ]];
@@ -506,4 +560,4 @@ else
     echo "Error Message: journal permissions=$journal_perms"
 fi
 
-echo "$Num_Of_Checks_Passed/$Total_Num_Of_Checks checks passed"
+echo "$Num_Of_Checks_Passed/$Total_Num_Of_Checks checks passed"