Skip to content

fix(security): harden EKS, ArgoCD, VPC, and Kyverno configs#3

Closed
somethingwithproof wants to merge 2 commits intomainfrom
security/fix-terraform-security-issues
Closed

fix(security): harden EKS, ArgoCD, VPC, and Kyverno configs#3
somethingwithproof wants to merge 2 commits intomainfrom
security/fix-terraform-security-issues

Conversation

@somethingwithproof
Copy link
Owner

@somethingwithproof somethingwithproof commented Feb 8, 2026
edited
Loading

Summary

  • H14: Disable EKS API public endpoint (endpoint_public_access = false)
  • H15: Remove ArgoCD --insecure flag and switch service from LoadBalancer to ClusterIP
  • H16: Replace wildcard namespace (*) in ArgoCD project with explicit namespace list
  • M24: Add VPC flow logs with CloudWatch Logs destination and IAM role
  • M25: Mark cluster_endpoint output as sensitive = true
  • L17: Remove argocd and monitoring from Kyverno privileged container policy exclusions

Test plan

  • terraform validate passes for all modules
  • terraform plan shows expected changes
  • Verify EKS cluster is accessible only via private endpoint (VPN/bastion required)
  • Verify ArgoCD is accessible via port-forward or ingress, not direct LoadBalancer
  • Verify ArgoCD can only deploy to listed namespaces
  • Verify VPC flow logs appear in CloudWatch under /aws/vpc/flow-logs/
  • Verify Kyverno blocks privileged containers in argocd/monitoring namespaces

somethingwithproof and others added 2 commits February 7, 2026 20:48
@somethingwithproof @claude
fix(security): harden EKS, ArgoCD, VPC, and Kyverno configurations
8e5a004 
- H14: Disable EKS API public endpoint access
- H15: Remove ArgoCD --insecure flag and switch to ClusterIP service
- H16: Replace wildcard namespace in ArgoCD project with explicit list
- M24: Add VPC flow logs with CloudWatch destination
- M25: Mark cluster_endpoint output as sensitive
- L17: Remove argocd/monitoring from Kyverno privileged container exclusions

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@somethingwithproof
fix: apply terraform fmt to vpc module
af936b5
@somethingwithproof
Copy link
Owner Author

somethingwithproof commented Feb 8, 2026

Replacing with clean security branch

@somethingwithproof somethingwithproof mentioned this pull request Feb 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@somethingwithproof