Require aws-node DaemonSet use IRSA

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-aws-node-irsa
 5  annotations:
 6    policies.kyverno.io/title: Require aws-node DaemonSet use IRSA
 7    policies.kyverno.io/category: AWS, EKS Best Practices
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: DaemonSet
10    kyverno.io/kyverno-version: 1.8.2
11    policies.kyverno.io/minversion: 1.6.0
12    kyverno.io/kubernetes-version: "1.24"
13    policies.kyverno.io/description: >-
14      According to EKS best practices, the `aws-node` DaemonSet is configured to use
15      a role assigned to the EC2 instances to assign IPs to Pods. This role includes
16      several AWS managed policies that effectively allow all Pods running on a Node
17      to attach/detach ENIs, assign/unassign IP addresses, or pull images from ECR.
18      Since this presents a risk to your cluster, it is recommended that you update
19      the `aws-node` DaemonSet to use IRSA. This policy ensures that the `aws-node` DaemonSet
20      running in the `kube-system` Namespace is not still using the `aws-node` ServiceAccount.
21spec:
22  validationFailureAction: Audit
23  background: true
24  rules:
25  - name: validate-node-daemonset-irsa
26    match:
27      any:
28      - resources:
29          kinds:
30          - DaemonSet
31          names: 
32          - aws-node
33          namespaces:
34          - kube-system
35    validate:
36      message: "Update the aws-node daemonset to use IRSA."
37      pattern:
38        spec:
39          template:
40            spec:
41              serviceAccountName: "!aws-node"