Selecting the correct Node(s) provisioned by Karpenter is a way to specify the appropriate resource landing zone for a workload. This policy injects a nodeSelector map into the Pod based on the Namespace type where it is deployed.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: add-karpenter-nodeselectorannotations:policies.kyverno.io/title: Add Karpenter nodeSelectorpolicies.kyverno.io/category: Karpenter, EKS Best Practicespolicies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Podkyverno.io/kyverno-version: 1.7.1policies.kyverno.io/minversion: 1.6.0kyverno.io/kubernetes-version: "1.23"policies.kyverno.io/description: Selecting the correct Node(s) provisioned by Karpenter is a way to specify the appropriate resource landing zone for a workload. This policy injects a nodeSelector map into the Pod based on the Namespace type where it is deployed.spec:rules:- name: add-mediummatch:any:- resources:kinds:- PodnamespaceSelector:matchLabels:type: mediummutate:patchStrategicMerge:spec:nodeSelector:kubernetes.io/arch: amd64karpenter.sh/capacity-type: spot- name: add-largematch:any:- resources:kinds:- PodnamespaceSelector:matchLabels:type: largemutate:patchStrategicMerge:spec:nodeSelector:kubernetes.io/arch: amd64karpenter.sh/capacity-type: on-demand
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
According to EKS best practices, the `aws-node` DaemonSet is configured to use a role assigned to the EC2 instances to assign IPs to Pods. This role includes several AWS managed policies that effectively allow all Pods running on a Node to attach/detach ENIs, assign/unassign IP addresses, or pull images from ECR. Since this presents a risk to your cluster, it is recommended that you update the `aws-node` DaemonSet to use IRSA. This policy ensures that the `aws-node` DaemonSet running in the `kube-system` Namespace is not still using the `aws-node` ServiceAccount.
By default, Kubernetes allows communications across all Pods within a cluster. The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict communications. A default NetworkPolicy should be configured for each Namespace to default deny all ingress and egress traffic to the Pods in the Namespace. Application teams can then configure additional NetworkPolicy resources to allow desired traffic to application Pods from select sources. This policy will create a new NetworkPolicy resource named `default-deny` which will deny all traffic anytime a new Namespace is created.