lacework-global-365
5.6.1 Consider Fargate for running untrusted workloads (Manual)
Profile Applicability
• Level 1
Description
It is Best Practice to restrict or fence untrusted workloads when running in a multi-tenant environment.
Rationale
CIS does not provide the rationale behind for this recommendation.
Audit
CIS does not provide audit instructions for this recommendation.
Remediation
Create a Fargate profile for your cluster Before you can schedule pods running on Fargate in your cluster, you must define a Fargate profile that specifies which pods Fargate should use when they are launched. For more information, see AWS Fargate profile.
Note
If you created your cluster with eksctl using the --fargate
option, then a Fargate profile has already been created for your cluster with selectors for all pods in the kube-system and default namespaces. Use the following procedure to create Fargate profiles for any other namespaces you would like to use with Fargate:
via eksctl CLI Create your Fargate profile with the following eksctl command, replacing the variable text with your own values. You must specify a namespace, but the labels option is not required:
eksctl create fargateprofile --cluster cluster_name --name fargate_profile_name --namespace kubernetes_namespace --labels key=value
via AWS Management Console
To create a Fargate profile for a cluster with the AWS Management Console
- Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters.
- Choose the cluster to create a Fargate profile for.
- Under Fargate profiles, choose Add Fargate profile.
- On the Configure Fargate profile page, enter the following information and choose Next.
- For Name, enter a unique name for your Fargate profile.
- For Pod execution role, choose the pod execution role to use with your Fargate profile. Only IAM roles with the eks-fargate-pods.amazonaws.com service principal are shown. If you do not see any roles listed here, you must create one. For more information, see Pod execution role.
- For Subnets, choose the subnets to use for your pods. By default, all subnets in your cluster's VPC are selected. Only private subnets are supported for pods running on Fargate; you must deselect any public subnets.
- For Tags, you can optionally tag your Fargate profile. These tags do not propagate to other resources associated with the profile, such as its pods.
- On the Configure pods selection page, enter the following information and choose Next.
- For Namespace, enter a namespace to match for pods, such as kube-system or default.
- (Optional) Add Kubernetes labels to the selector that pods in the specified namespace must have to match the selector. For example, you could add the label
infrastructure: fargate
to the selector so that only pods in the specified namespace that also have theinfrastructure: fargate
Kubernetes label match the selector.
- On the Review and create page, review the information for your Fargate profile and choose Create.
References
https://docs.aws.amazon.com/eks/latest/userguide/fargate.html https://docs.aws.amazon.com/eks/latest/userguide/fargate-profile.html