-
-
Notifications
You must be signed in to change notification settings - Fork 2.7k
/
Copy pathreport.html
245 lines (240 loc) · 61.8 KB
/
report.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
<!DOCTYPE html>
<head>
<meta charset="UTF-8">
<style>
.r1 {color: #00ff00; text-decoration-color: #00ff00}
.r2 {font-weight: bold}
.r3 {color: #008080; text-decoration-color: #008080; font-weight: bold}
.r4 {color: #00ff00; text-decoration-color: #00ff00; font-weight: bold}
.r5 {color: #800000; text-decoration-color: #800000}
.r6 {color: #008000; text-decoration-color: #008000}
body {
color: #000000;
background-color: #ffffff;
}
</style>
</head>
<html>
<body>
<code>
<pre style="font-family:Menlo,'DejaVu Sans Mono',consolas,'Courier New',monospace"><span class="r1">* * * * * * * * * * * * * * </span><span class="r2">HARDENEKS</span><span class="r1"> * * * * * * * * * * * * * * </span>
You are operating at us-east-<span class="r3">2</span>
You context is arn:aws:eks:us-east-<span class="r4">2:4244</span>3238<span class="r4">8155:c</span>luster/dev-demo
Your cluster name is dev-demo
You are using config.yaml as your config file
╭───────────────────────────────── <span class="r3">cluster_autoscaling rules</span> ─────────────────────────────────╮
│ ┏━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━┓ │
│ ┃<span class="r2"> Section </span>┃<span class="r2"> Namespace </span>┃<span class="r2"> Rule </span>┃<span class="r2"> Resource </span>┃<span class="r2"> Resource Type </span>┃<span class="r2"> Resolution </span>┃ │
│ ┡━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━┩ │
│ │<span class="r5"> cluster_autos… </span>│<span class="r5"> Cluster Wide </span>│<span class="r5"> Cluster </span>│<span class="r5"> </span>│<span class="r5"> Deployment </span>│<span class="r5"> </span><a class="r5" href="https://aws.github.io/aws-eks-best-practices/cluster-autoscaling/">Link</a><span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> Autoscaler or </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> Karpenter is </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> not deployed. </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r6"> cluster_autos… </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Cross version </span>│<span class="r6"> </span>│<span class="r6"> Deployment </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/cluster-autoscaling/#operating-the-cluster-autoscaler">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> compatibility </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> between CA and </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> k8s is not </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> recommended. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> cluster_autos… </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Auto discovery </span>│<span class="r6"> </span>│<span class="r6"> Deployment </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/cluster-autoscaling/#operating-the-cluster-autoscaler">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> is not enabled </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> for Cluster </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> Autoscaler. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> cluster_autos… </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Cluster-autos… </span>│<span class="r6"> </span>│<span class="r6"> Deployment </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/cluster-autoscaling/#employ-least-privileged-access-to-the-iam-role">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> deployment </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> does not use a </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> dedicated IAM </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> Role (IRSA). </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> cluster_autos… </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Cluster </span>│<span class="r6"> </span>│<span class="r6"> IAM Role </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/cluster-autoscaling/#employ-least-privileged-access-to-the-iam-role">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> autoscaler </span>│<span class="r6"> </span>│<span class="r6"> Action </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> role has </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> unnecessary </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> actions </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> assigned. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> cluster_autos… </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Nodes are </span>│<span class="r6"> </span>│<span class="r6"> Node </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/cluster-autoscaling/#configuring-your-node-groups">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> recommended to </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> be part of a </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> managed noge </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> group. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ └────────────────┴──────────────┴────────────────┴──────────┴────────────────┴────────────┘ │
╰─────────────────────────────────────────────────────────────────────────────────────────────╯
╭───────────────────────────────────── <span class="r3">scalability rules</span> ─────────────────────────────────────╮
│ ┏━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━┓ │
│ ┃<span class="r2"> Section </span>┃<span class="r2"> Namespace </span>┃<span class="r2"> Rule </span>┃<span class="r2"> Resource </span>┃<span class="r2"> Resource Type </span>┃<span class="r2"> Resolution </span>┃ │
│ ┡━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━┩ │
│ │<span class="r6"> control_plane </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> EKS Version </span>│<span class="r6"> </span>│<span class="r6"> Cluster </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/scalability/docs/control-plane/#use-eks-124-or-above">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> Should be </span>│<span class="r6"> </span>│<span class="r6"> Version </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> greater or </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> equal to 1.24. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r5"> control_plane </span>│<span class="r5"> Cluster Wide </span>│<span class="r5"> `disable-compr… </span>│<span class="r5"> </span>│<span class="r5"> Compression </span>│<span class="r5"> </span><a class="r5" href="https://aws.github.io/aws-eks-best-practices/scalability/docs/control-plane/#disable-kubectl-compression">Link</a><span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> in kubeconfig </span>│<span class="r5"> </span>│<span class="r5"> Setting </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> should equal </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> True </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ └───────────────┴──────────────┴─────────────────┴──────────┴────────────────┴────────────┘ │
╰─────────────────────────────────────────────────────────────────────────────────────────────╯
╭────────────────────────────────────── <span class="r3">security rules</span> ───────────────────────────────────────╮
│ ┏━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━┳━━━━━━━━━━━━┓ │
│ ┃<span class="r2"> Section </span>┃<span class="r2"> Namespace </span>┃<span class="r2"> Rule </span>┃<span class="r2"> Resource </span>┃<span class="r2"> Resource Type </span>┃<span class="r2"> Resolution </span>┃ │
│ ┡━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━╇━━━━━━━━━━━━┩ │
│ │<span class="r6"> iam </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Don't bind </span>│<span class="r6"> </span>│<span class="r6"> ClusterRoleB… </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/security/docs/iam/#review-and-revoke-unnecessary-anonymous-access">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> clusterroles </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> to </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> anonymous/un… </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> groups. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r5"> iam </span>│<span class="r5"> Cluster Wide </span>│<span class="r5"> EKS Cluster </span>│<span class="r5"> </span>│<span class="r5"> Cluster </span>│<span class="r5"> </span><a class="r5" href="https://aws.github.io/aws-eks-best-practices/security/docs/iam/#make-the-eks-cluster-endpoint-private">Link</a><span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> Endpoint is </span>│<span class="r5"> </span>│<span class="r5"> Endpoint </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> not Private. </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> iam </span>│<span class="r5"> Cluster Wide </span>│<span class="r5"> Update the </span>│<span class="r5"> aws-node </span>│<span class="r5"> Daemonset </span>│<span class="r5"> </span><a class="r5" href="https://aws.github.io/aws-eks-best-practices/security/docs/iam/#update-the-aws-node-daemonset-to-use-irsa">Link</a><span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> aws-node </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> daemonset to </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> use IRSA. </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> iam </span>│<span class="r5"> Cluster Wide </span>│<span class="r5"> Restrict </span>│<span class="r5"> i-03f8e01f9… </span>│<span class="r5"> Node </span>│<span class="r5"> </span><a class="r5" href="https://aws.github.io/aws-eks-best-practices/security/docs/iam/#when-your-application-needs-access-to-imds-use-imdsv2-and-increase-the-hop-limit-on-ec2-instances-to-2">Link</a><span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> access to the </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> instance </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> profile </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> assigned to </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> nodes. </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r6"> iam </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> ClusterRoles </span>│<span class="r6"> </span>│<span class="r6"> Cluster Role </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/security/docs/iam/#employ-least-privileged-access-when-creating-rolebindings-and-clusterrolebindings">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> should not </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> have '*' in </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> Verbs or </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> Resources. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r5"> multi_tenan… </span>│<span class="r5"> Cluster Wide </span>│<span class="r5"> Namespaces </span>│<span class="r5"> default </span>│<span class="r5"> Namepsace </span>│<span class="r5"> </span><a class="r5" href="https://aws.github.io/aws-eks-best-practices/security/docs/multitenancy/#namespaces">Link</a><span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> should have </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> quotas </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> assigned. </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r6"> detective_c… </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Enable </span>│<span class="r6"> </span>│<span class="r6"> Log </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/security/docs/detective/#enable-audit-logs">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> control plane </span>│<span class="r6"> </span>│<span class="r6"> Configuration </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> logs for </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> auditing. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r5"> network_sec… </span>│<span class="r5"> Cluster Wide </span>│<span class="r5"> Install aws </span>│<span class="r5"> aws-private… </span>│<span class="r5"> Service </span>│<span class="r5"> </span><a class="r5" href="https://aws.github.io/aws-eks-best-practices/security/docs/network/#acm-private-ca-with-cert-manager">Link</a><span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> privateca </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> issuer for </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> your </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> certificates. </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> network_sec… </span>│<span class="r5"> Cluster Wide </span>│<span class="r5"> Namespaces </span>│<span class="r5"> default </span>│<span class="r5"> Service </span>│<span class="r5"> </span><a class="r5" href="https://aws.github.io/aws-eks-best-practices/security/docs/network/#create-a-default-deny-policy">Link</a><span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> that does not </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> have default </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> network deny </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> policies. </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r6"> encryption_… </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> EBS Storage </span>│<span class="r6"> </span>│<span class="r6"> StorageClass </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/security/docs/data/#encryption-at-rest">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> Classes </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> should have </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> encryption </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> parameter. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> encryption_… </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> EFS </span>│<span class="r6"> </span>│<span class="r6"> PersistentVo… </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/security/docs/data/#encryption-at-rest">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> Persistent </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> volumes </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> should have </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> tls mount </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> option. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> encryption_… </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> EFS </span>│<span class="r6"> </span>│<span class="r6"> PersistentVo… </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/security/docs/data/#use-efs-access-points-to-simplify-access-to-shared-datasets">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> Persistent </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> volumes </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> should </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> leverage </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> access </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> points. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> infrastruct… </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Place worker </span>│<span class="r6"> </span>│<span class="r6"> Node </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/security/docs/hosts/#deploy-workers-onto-private-subnets">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> nodes on </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> private </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> subnets. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r5"> infrastruct… </span>│<span class="r5"> Cluster Wide </span>│<span class="r5"> Enable Amazon </span>│<span class="r5"> </span>│<span class="r5"> Inspector </span>│<span class="r5"> </span><a class="r5" href="https://aws.github.io/aws-eks-best-practices/security/docs/hosts/#deploy-workers-onto-private-subnets">Link</a><span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> Inspector for </span>│<span class="r5"> </span>│<span class="r5"> Configuration </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> ec2 and ecr. </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> pod_security </span>│<span class="r5"> Cluster Wide </span>│<span class="r5"> Namespaces </span>│<span class="r5"> default </span>│<span class="r5"> Namespace </span>│<span class="r5"> </span><a class="r5" href="https://aws.github.io/aws-eks-best-practices/security/docs/pods/#pod-security-standards-pss-and-pod-security-admission-psa">Link</a><span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> should have </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> psa modes. </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r6"> image_secur… </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Make image </span>│<span class="r6"> </span>│<span class="r6"> ECR </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/security/docs/image/#use-immutable-tags-with-ecr">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> tags </span>│<span class="r6"> </span>│<span class="r6"> Repository </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> immutable. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> iam </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Don't bind </span>│<span class="r6"> </span>│<span class="r6"> RoleBinding </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/security/docs/iam/#review-and-revoke-unnecessary-anonymous-access">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> roles to </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> anonymous or </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> unauthentica… </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> groups. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> iam </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Roles should </span>│<span class="r6"> </span>│<span class="r6"> Role </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/security/docs/iam/#employ-least-privileged-access-when-creating-rolebindings-and-clusterrolebindings">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> not have '*' </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> in Verbs or </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> Resources. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> iam </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Auto-mounting </span>│<span class="r6"> </span>│<span class="r6"> Pod </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/security/docs/iam/#disable-auto-mounting-of-service-account-tokens">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> of Service </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> Account </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> tokens is not </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> allowed. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r5"> iam </span>│<span class="r5"> default </span>│<span class="r5"> Running as </span>│<span class="r5"> web-0 </span>│<span class="r5"> Pod </span>│<span class="r5"> </span><a class="r5" href="https://aws.github.io/aws-eks-best-practices/security/docs/iam/#run-the-application-as-a-non-root-user">Link</a><span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> root is not </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> allowed. </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r6"> iam </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Don't share </span>│<span class="r6"> </span>│<span class="r6"> Deployment </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/security/docs/iam/#use-dedicated-service-accounts-for-each-application">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> service </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> accounts </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> between </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> Deployments. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> iam </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Don't share </span>│<span class="r6"> </span>│<span class="r6"> StatefulSet </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/security/docs/iam/#use-dedicated-service-accounts-for-each-application">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> service </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> accounts </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> between </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> StatefulSets. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> iam </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Don't share </span>│<span class="r6"> </span>│<span class="r6"> DaemonSet </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/security/docs/iam/#use-dedicated-service-accounts-for-each-application">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> service </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> accounts </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> between </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> DaemonSets. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> pod_security </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Container </span>│<span class="r6"> </span>│<span class="r6"> Pod </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/security/docs/pods/#never-run-docker-in-docker-or-mount-the-socket-in-the-container">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> socket mounts </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> are not </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> allowed. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> pod_security </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Restrict the </span>│<span class="r6"> </span>│<span class="r6"> Pod </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/security/docs/pods/#restrict-the-use-of-hostpath-or-if-hostpath-is-necessary-restrict-which-prefixes-can-be-used-and-configure-the-volume-as-read-only">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> use of </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> hostpath. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r5"> pod_security </span>│<span class="r5"> default </span>│<span class="r5"> Set requests </span>│<span class="r5"> web-0 </span>│<span class="r5"> Pod </span>│<span class="r5"> </span><a class="r5" href="https://aws.github.io/aws-eks-best-practices/security/docs/pods/#set-requests-and-limits-for-each-container-to-avoid-resource-contention-and-dos-attacks">Link</a><span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> and limits </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> for each </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> container. </span>│<span class="r5"> </span>│<span class="r5"> </span>│<span class="r5"> </span>│ │
│ │<span class="r6"> pod_security </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Set </span>│<span class="r6"> </span>│<span class="r6"> Pod </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/security/docs/pods/#do-not-allow-privileged-escalation">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> allowPrivile… </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> in the pod </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> spec to </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> false. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> pod_security </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Configure </span>│<span class="r6"> </span>│<span class="r6"> Pod </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/security/docs/pods/#configure-your-images-with-read-only-root-file-system">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> your images </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> with a </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> read-only </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> root file </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> system. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> network_sec… </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Make sure you </span>│<span class="r6"> </span>│<span class="r6"> Service </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/security/docs/network/#use-encryption-with-aws-load-balancers">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> specify an </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> ssl cert. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> encryption_… </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Disallow </span>│<span class="r6"> </span>│<span class="r6"> Pod </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/security/docs/data/#use-volume-mounts-instead-of-environment-variables">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> secrets from </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> env vars. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> runtime_sec… </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Capabilities </span>│<span class="r6"> </span>│<span class="r6"> Pod </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/security/docs/runtime/#consider-adddropping-linux-capabilities-before-writing-seccomp-policies">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> beyond the </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> allowed list </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> are </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> disallowed. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ └──────────────┴──────────────┴───────────────┴──────────────┴───────────────┴────────────┘ │
╰─────────────────────────────────────────────────────────────────────────────────────────────╯
╭───────────────────────────────────── <span class="r3">reliability rules</span> ─────────────────────────────────────╮
│ ┏━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━┳━━━━━━━━━━━━┓ │
│ ┃<span class="r2"> Section </span>┃<span class="r2"> Namespace </span>┃<span class="r2"> Rule </span>┃<span class="r2"> Resource </span>┃<span class="r2"> Resource Type </span>┃<span class="r2"> Resolution </span>┃ │
│ ┡━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━╇━━━━━━━━━━━━┩ │
│ │<span class="r6"> applications </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Metrics server is </span>│<span class="r6"> </span>│<span class="r6"> Service </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/reliability/docs/application/#run-kubernetes-metrics-server">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> not deployed. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> applications </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Deploy horizontal </span>│<span class="r6"> </span>│<span class="r6"> Deployment </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/reliability/docs/application/#horizontal-pod-autoscaler-hpa">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> pod autoscaler </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> for deployments. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> applications </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Spread replicas </span>│<span class="r6"> </span>│<span class="r6"> Deployment </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/reliability/docs/application/#schedule-replicas-across-nodes">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> across AZs and </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> Nodes. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> applications </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Avoid running </span>│<span class="r6"> </span>│<span class="r6"> Deployment </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/reliability/docs/application/#run-multiple-replicas">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> single replica </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> deployments. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> applications </span>│<span class="r6"> Cluster Wide </span>│<span class="r6"> Avoid running </span>│<span class="r6"> </span>│<span class="r6"> Pod </span>│<span class="r6"> </span><a class="r6" href="https://aws.github.io/aws-eks-best-practices/reliability/docs/application/#avoid-running-singleton-pods">Link</a><span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> pods without </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ │<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> deployments. </span>│<span class="r6"> </span>│<span class="r6"> </span>│<span class="r6"> </span>│ │
│ └──────────────┴──────────────┴───────────────────┴──────────┴───────────────┴────────────┘ │
╰─────────────────────────────────────────────────────────────────────────────────────────────╯
</pre>
</code>
</body>
</html>