in packages/constructs/L2/eks-constructs/lib/mdaa-kubectl-provider.ts [88:182]
public constructor(scope: Construct, id: string, props: KubectlProviderProps) {
super(scope, id);
const cluster = props.cluster;
if (!cluster.kubectlRole) {
throw new Error('"kubectlRole" is not defined, cannot issue kubectl commands against this cluster');
}
if (cluster.kubectlPrivateSubnets && !cluster.kubectlSecurityGroup) {
throw new Error('"kubectlSecurityGroup" is required if "kubectlSubnets" is specified');
}
const memorySize = cluster.kubectlMemory ? cluster.kubectlMemory.toMebibytes() : 1024;
// prettier-ignore
const handler = new Function(this, 'Handler', { //NOSONAR false positive
code: Code.fromAsset(path.join(__dirname, 'kubectl-handler')), //NOSONAR false positive
runtime: Runtime.PYTHON_3_13,
handler: 'index.handler',
timeout: Duration.minutes(15),
description: 'onEvent handler for EKS kubectl resource provider',
memorySize,
environment: {
...cluster.kubectlEnvironment,
LOG_LEVEL: 'INFO',
},
role: cluster.kubectlLambdaRole,
// defined only when using private access
vpc: cluster.kubectlPrivateSubnets ? cluster.vpc : undefined,
securityGroups:
cluster.kubectlPrivateSubnets && cluster.kubectlSecurityGroup ? [cluster.kubectlSecurityGroup] : undefined,
vpcSubnets: cluster.kubectlPrivateSubnets ? { subnets: cluster.kubectlPrivateSubnets } : undefined,
});
// allow user to customize the layers with the tools we need
handler.addLayers(props.cluster.awscliLayer ?? new AwsCliLayer(this, 'AwsCliLayer'));
handler.addLayers(props.cluster.kubectlLayer ?? new KubectlV27Layer(this, 'KubectlLayer'));
this.handlerRole = handler.role!;
const provider = new Provider(this, 'Provider', {
onEventHandler: handler,
vpc: cluster.kubectlPrivateSubnets ? cluster.vpc : undefined,
vpcSubnets: cluster.kubectlPrivateSubnets ? { subnets: cluster.kubectlPrivateSubnets } : undefined,
securityGroups:
cluster.kubectlPrivateSubnets && cluster.kubectlSecurityGroup ? [cluster.kubectlSecurityGroup] : undefined,
});
this.serviceToken = provider.serviceToken;
this.roleArn = cluster.kubectlRole.roleArn;
MdaaNagSuppressions.addCodeResourceSuppressions(
this,
[
{
id: 'AwsSolutions-IAM4',
reason: 'AWSLambdaBasicExecutionRole, AWSLambdaVPCAccessExecutionRole are least privilege.',
},
{ id: 'AwsSolutions-IAM5', reason: 'Resource names not known at deployment time.' },
{ id: 'AwsSolutions-L1', reason: 'Function generated by EKS L2 construct.' },
{
id: 'NIST.800.53.R5-LambdaConcurrency',
reason: 'Function is used as Cfn Custom Resource only during deployment time. Concurrency managed via Cfn.',
},
{
id: 'NIST.800.53.R5-LambdaDLQ',
reason:
'Function is used as Cfn Custom Resource only during deployment time. Error handling managed via Cfn.',
},
{ id: 'NIST.800.53.R5-IAMNoInlinePolicy', reason: 'Policy statements are specific to custom resource.' },
{
id: 'HIPAA.Security-LambdaConcurrency',
reason: 'Function is used as Cfn Custom Resource only during deployment time. Concurrency managed via Cfn.',
},
{
id: 'PCI.DSS.321-LambdaConcurrency',
reason: 'Function is used as Cfn Custom Resource only during deployment time. Concurrency managed via Cfn.',
},
{
id: 'HIPAA.Security-LambdaDLQ',
reason:
'Function is used as Cfn Custom Resource only during deployment time. Error handling managed via Cfn.',
},
{
id: 'PCI.DSS.321-LambdaDLQ',
reason:
'Function is used as Cfn Custom Resource only during deployment time. Error handling managed via Cfn.',
},
{ id: 'HIPAA.Security-IAMNoInlinePolicy', reason: 'Policy statements are specific to custom resource.' },
{ id: 'PCI.DSS.321-IAMNoInlinePolicy', reason: 'Policy statements are specific to custom resource.' },
],
true,
);
}