Skip to content

The Amazon Elastic Kubernetes Service (EKS) Creation Engine (ECE) is a Python command-line program created by the Lightspin Office of the CISO to facilitate the creation and enablement of secure EKS Clusters.

License

Notifications You must be signed in to change notification settings

lightspin-tech/eks-creation-engine

Repository files navigation

Lightspin EKS Creation Engine

The Amazon Elastic Kubernetes Service (EKS) Creation Engine (ECE) is a Python command-line program created by the Lightspin Office of the CISO to facilitate the creation and enablement of secure EKS Clusters, optionally further assured with continual Kubernetes Security Posture Management (KSPM), Runtime Protection, and Application Performance Monitoring (APM) capabilities.

What is this 👀 👀 ??

As stated above, the ECE is a Python utility to create a fully functioning EKS Cluster, complete with Nodegroups which are built off of EC2 Launch Templates as it was meant for creating EKS Nodegroups with custom AMIs with custom bootstrapping.

At a high-level ECE...

  • Supports the full lifecycle of EKS management: Creation, Deletion, Rollbacks, and Updates
  • Bootstraps Nodegroups based on IMDSv2 and Custom AMIs (Currently supports Amazon Linux 2 & Ubuntu 20.04LTS Arm64 & Amd64)
  • Authorize additional IAM Principals into your Cluster
  • Will install and configure Microsoft Defender for Endpoint (MDE), Sysdig's Falco & FalcoSidekick, and/or Datadog if desired.
  • Perform Kubernetes Security Posture Management (KSPM) tasks using Aqua Security's Trivy (vulnerability management) and Kube-bench (EKS CIS Benchmarking) into a SARIF JSON Report

After creating a Cluster with ECE, you are free to use your own tools such as eksctl or Terraform to further extend!

It is very easy to get started, just provide a VPC ID and two matching private Subnet IDs

python3 main.py \
    --subnets subnet-123 subnet-456 \
    --vpcid vpc-123

Why use this over IAC 🤨 🤨 ??

tl;dr = ECE will create a secure cluster the first time, every time, and support the security of your clusters throughout their lifetime better than AWS' own defaults.

For those using the Console, APIs, CLI, or SDKs to create your Cluster - AWS does not provide the best experience nor secure defaults - but ECE does.

Feature Default-by-AWS Default-by-ECE
Public API Endpoint
API Server Logging
Audit Logging
Authenticator Logging
Controller Manage Logging
Scheduler Logging
Secrets Envelope Encryption
Node Volume Encryption
Minimum Necessary Secuirty Group Permissions
Minimum Necessary IAM Role Permissions
KMS Key Generation
IMDSv2 on Nodes
EDR on Nodes
Dynamic Custom AMI bootstrapping
Falco Configuration by Default
FalcoSidekick Configuration by Default
CIS Benchmarking
Container Vulnerability Scanning

Note: Yes, we realize we are being cheeky with a lot of comparisons and features that AWS shouldn't be expected to provide, it's still concerning that AWS does not conform to their own best practices for defaults.

For those using Infrastructure-as-Code (IAC) such as AWS CloudFormation and HashiCorp's Terraform are the preferred vehicles for defining infrastructure, they can be complicated to write and maintain when getting started with AWS EKS. They also native capabilities to reach into clusters and provide post-provisioning without the usage of custom resources (CFN), locals and external providers (TF). This utility provides similar behavior patterns (creating, update, rollback) and can be used to quickly tune parameters and change conditions which are static within IAC. Further, ECE is also a secure tool used for vulnerability management, runtime protection configuration, and posture management in addition to being an IAC tool - something CloudFormation and Terraform would need additional infrastructure templates and outside tools to achieve.

How do I use this 🤔 🤔 ??

Read the Docs here

FAQ 😌 😌 ??

Read the FAQ here

How can I contribute ↗️ ↗️ ??

We are happy to take contributions from anywhere that will help expand this project. Some things that immediately come to mind...

  • Saving configurations to YAML/JSON and read from them.
  • Support installing more software onto EKS Nodes (e.g., CloudWatch Agent, Kinesis Data Agent, Wazuh, etc.)
  • Functionality for adding Nodegroups to existing Clusters.
  • Spot provider & Fargate Profile support for Nodegroups, and an option to not use Nodegroups
  • Create more Plugins for various utilities (e.g., Calico, OPA, NGINX Ingress Controller, etc.)

Contact Us 📞 📞

For more information, contact us at [email protected].

License ✳️ ✳️

This repository is available under the Apache License 2.0.