added policy to check public cluster access for eks

avd_docs/aws/eks/AVD-AWS-0195/docs.md

@@ -0,0 +1,13 @@
+
+EKS Clusters should have the public access disabled
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
+
+

avd_docs/kubernetes/general/AVD-KSV-01010/docs.md

@@ -2,7 +2,7 @@
 Storing sensitive content such as usernames and email addresses in configMaps is unsafe
 
 ### Impact
-Unsafe storage of sensitive content in configMaps could lead to the information being compromised.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/kubernetes/general/AVD-KSV-0107/docs.md

@@ -1,10 +1,13 @@
 
-apiVersion and kind has been deprecated
+apiVersion '' and kind '' has been deprecated on: '' and planned for removal on:''
 
 ### Impact
 <!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}
 
+### Links
+- 
+
 

avd_docs/kubernetes/general/AVD-KSV-0108/docs.md

@@ -2,8 +2,8 @@
 Services with external IP addresses allows direct access from the internet and might expose risk for CVE-2020-8554
 
 ### Impact
-Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
-https://www.cvedetails.com/cve/CVE-2020-8554/
+<!-- Add Impact here -->
+
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}
 

avd_docs/kubernetes/general/AVD-KSV-0109/docs.md

@@ -2,7 +2,7 @@
 Storing secrets in configMaps is unsafe
 
 ### Impact
-Unsafe storage of secret content in configMaps could lead to the information being compromised.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

internal/rules/policies/cloud/policies/aws/eks/no_public_cluster_access.rego

@@ -0,0 +1,25 @@
+# METADATA
+# title: "EKS Public Aceess"
+# description: "EKS Clusters should have the public access disabled"
+# scope: package
+# schemas:
+# - input: schema.input
+# related_resources:
+# - https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
+# custom:
+#   avd_id: AVD-AWS-0195
+#   provider: aws
+#   service: eks
+#   severity: CRITICAL
+#   short_code: no-public-cluster-access
+#   recommended_action: "EKS clusters are available publicly by default, this should be explicitly disabled in the vpc_config of the EKS cluster resource."
+#   input:
+#     selector:
+#     - type: cloud
+package builtin.aws.eks.aws0195
+
+deny[res] {
+	cluster := input.aws.eks.clusters[_]
+	cluster.publicaccessenabled.value
+	res := result.new("Public cluster access is enabled.", cluster.publicaccessenabled)
+}

internal/rules/policies/cloud/policies/aws/eks/no_public_cluster_access_test.rego

@@ -0,0 +1,11 @@
+package builtin.aws.eks.aws0195
+
+test_detects_when_disabled {
+	r := deny with input as {"aws": {"eks": {"clusters": [{"publicaccessenabled": {"value": false}}]}}}
+	count(r) == 0
+}
+
+test_when_enabled {
+	r := deny with input as {"aws": {"eks": {"clusters": [{"publicaccessenabled": {"value": true}}]}}}
+	count(r) == 1
+}