Skip to main content

lacework-global-365

5.6.1 Consider Fargate for running untrusted workloads (Manual)

Profile Applicability

• Level 1

Description

It is Best Practice to restrict or fence untrusted workloads when running in a multi-tenant environment.

Rationale

CIS does not provide the rationale behind for this recommendation.

Audit

CIS does not provide audit instructions for this recommendation.

Remediation

Create a Fargate profile for your cluster Before you can schedule pods running on Fargate in your cluster, you must define a Fargate profile that specifies which pods Fargate should use when they are launched. For more information, see AWS Fargate profile.

Note If you created your cluster with eksctl using the --fargate option, then a Fargate profile has already been created for your cluster with selectors for all pods in the kube-system and default namespaces. Use the following procedure to create Fargate profiles for any other namespaces you would like to use with Fargate:

via eksctl CLI Create your Fargate profile with the following eksctl command, replacing the variable text with your own values. You must specify a namespace, but the labels option is not required:

eksctl create fargateprofile --cluster cluster_name --name fargate_profile_name --namespace kubernetes_namespace --labels key=value

via AWS Management Console

To create a Fargate profile for a cluster with the AWS Management Console

  1. Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters.
  2. Choose the cluster to create a Fargate profile for.
  3. Under Fargate profiles, choose Add Fargate profile.
  4. On the Configure Fargate profile page, enter the following information and choose Next.
  • For Name, enter a unique name for your Fargate profile.
  • For Pod execution role, choose the pod execution role to use with your Fargate profile. Only IAM roles with the eks-fargate-pods.amazonaws.com service principal are shown. If you do not see any roles listed here, you must create one. For more information, see Pod execution role.
  • For Subnets, choose the subnets to use for your pods. By default, all subnets in your cluster's VPC are selected. Only private subnets are supported for pods running on Fargate; you must deselect any public subnets.
  • For Tags, you can optionally tag your Fargate profile. These tags do not propagate to other resources associated with the profile, such as its pods.
  1. On the Configure pods selection page, enter the following information and choose Next.
  • For Namespace, enter a namespace to match for pods, such as kube-system or default.
  • (Optional) Add Kubernetes labels to the selector that pods in the specified namespace must have to match the selector. For example, you could add the label infrastructure: fargate to the selector so that only pods in the specified namespace that also have the infrastructure: fargate Kubernetes label match the selector.
  1. On the Review and create page, review the information for your Fargate profile and choose Create.

References

https://docs.aws.amazon.com/eks/latest/userguide/fargate.html https://docs.aws.amazon.com/eks/latest/userguide/fargate-profile.html