AWS CDK and EKS Preventive Controls

EKS Preventive Control

The pipeline in this solution starts with a commit to the CodeCommit repo with the Kubernetes manifest files to be deployed onto EKS cluster. CodeBuild will then run Conftest prepackaged with control policies to validate the Kubernetes manifest files.

If any control policy is breached by the Kubernetes manifest files, CodeBuild will stop the process and prevent the Kubernetes manifest files from being deployed into the run-time environment. If all control policies are satisfied by the Kubernetes manifest files, then the pipeline will pass the validation step and move on to deployment. The deployment step will provision an EKS cluster with an AWS managed worker node group then deploy the Kubernetes manifests onto the EKS cluster.

Tools

  • Amazon Elastic Kubernetes Services (EKS)
    A fully managed service that helps customers run their Kubernetes clusters at scale by minimizing the efforts required to operate a Kubernetes control plane.

  • AWS Cloud Development Kit (CDK)
    Infrastructure-as-code tool, including EKS cluster, Kubernetes workloads and a CI/CD pipeline.

  • Confest
    An open-source tool within CNCF Open Policy Agent suite, to automate preventative controls before the deployment step.

Steps

  1. Create a new empty AWS CodeCommit Repo that will be used by the CI/CD pipeline as the code source.

  2. Download the blog source code from the AWS public repo and check into the empty CodeCommit repo created in step 1.

  3. On the development terminal, run the CDK deploy command to provision the CI/CD pipeline.

  4. Validate the Kubernetes validation step in the CI/CD pipeline stops the pipeline due to the Kubernetes manifests violating preventative control policies.

  5. Fix the Kubernetes manifests and push the changes to CodeCommit repo.

  6. Validate the CI/CD pipeline is triggered again and this time it passes the Kubernetes validation step.

  7. Tick the manual approval step in the CI/CD pipeline.

  8. Validate the pipeline successfully provisions an EKS cluster with Kubernetes manifests via CDK deploy.


Go To the Tutorial

Return To HomePage