Skip to content

Commit

Permalink
Removing 'meep' Dataflow that was used for testing
Browse files Browse the repository at this point in the history
  • Loading branch information
@hyakuhei
hyakuhei committed Jul 22, 2021
1 parent 5b9454a commit 3e73c0a
Show file tree
Hide file tree
Showing 6 changed files with 25 additions and 40 deletions.
44 changes: 22 additions & 22 deletions example_aws_eks_add_on_permissions.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,21 +11,26 @@
"Create an IAM OIDC provider for cluster":[
DataFlow(
Actor("User"),
Process("IAM API").inBoundary(Boundary("IAM CP").inBoundary("AWS SVCs")),
TLS(SIGV4("Create OIDC provider")),
response=TLS("OIDC URL")
Process("EKS").inBoundary("AWS SVCs"),
TLS(SIGV4("Create OIDC endpoint")),
response="OIDC provider URL"
),
DataFlow(
Actor("User"),
Process("IAM").inBoundary("AWS SVCs"),
TLS(SIGV4("Add OIDC provider,\n OIDC provider URL"))
)
],
"Create an IAM policy & role to allow CPI addon to manage VPC":[
DataFlow(
Actor("User"),
Process("IAM API"),
Process("IAM"),
TLS(SIGV4("Create Policy")),
response = TLS("Policy ARN")
),
DataFlow(
Actor("User"),
Process("IAM API"),
Process("IAM"),
TLS(SIGV4("Create Role,\nTrusted Entity: Web Identity,\nIdentity Provider: OIDC URL,\nAttach Policy: Policy ARN")),
response=TLS("Role ARN")
)
Expand All @@ -40,40 +45,35 @@
"Deploy Addon":[
DataFlow(
Actor("User"),
Process("EKS API").inBoundary(Boundary("EKS CP").inBoundary(Boundary("AWS SVCs"))),
Process("EKS"),
TLS(SIGV4("Create add-on CNI,\nCluster: $clusterID"))
),
DataFlow(
Process("EKS API"),
Process("EKS"),
Process("Kube API"),
TLS("Create deployment CNI addon\nRole: Role ARN")
TLS("Deployment Spec: CNI addon\nRole: Role ARN")
),
DataFlow(
Process("Kube API"),
Process("aws-iam-authenticator").inBoundary("Kubernetes Control Plane"),
TLS("Get sts token")
),
DataFlow(
Process("aws-iam-authenticator"),
Process("IAM API"),
TLS("STS Assume Role,\n with web identity"),
response=TLS("JWT STS Token")
Process("eks-pod-identity-webhook").inBoundary(Boundary("Kubernetes Control Plane")),
TLS("Pod Spec"),
response=TLS("Mutated Pod Spec,\nAdd projected token to spec")
),
DataFlow(
Process("aws-iam-authenticator"),
Process("Kube API"),
TLS("JWT STS Token")
Process("Kubelet").inBoundary(Boundary("Kubernetes Data Plane").inBoundary(Boundary("Customer Account"))),
TLS("Launch Pod,\nPod Spec")
),
DataFlow(
Process("Kube API"),
Process("CNI Pod").inBoundary(Boundary("Kubernetes Data Plane").inBoundary("Customer Account")),
Process("Kubelet"),
Process("CNI Pod").inBoundary(Boundary("Kubernetes Data Plane")),
TLS("Launch Pod,\nsvcacct $acct,\nRole ARN,\nJWT STS Token")
)
),
],
"CNI configures VPC":[
DataFlow(
Process("CNI Pod"),
Process("VPC API").inBoundary(Boundary("VPC CP").inBoundary(Boundary("AWS SVCs"))),
Process("VPC").inBoundary(Boundary("AWS SVCs")),
TLS("Update VPC configuration,\nSTS token,\nOperates as Role ARN")
),
]
Expand Down
1 change: 0 additions & 1 deletion examples/aws-eks-add-on-permissions/AggregatedDfd-dfd
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ digraph all {
User -> "Kube API" [dir=forward]
EKS -> "Kube API" [dir=forward]
"Kube API" -> "eks-pod-identity-webhook" [dir=both]
"eks-pod-identity-webhook" -> "eks-pod-identity-webhook" [dir=forward]
"Kube API" -> Kubelet [dir=forward]
Kubelet -> "CNI Pod" [dir=forward]
"CNI Pod" -> VPC [dir=forward]
Expand Down
Binary file modified examples/aws-eks-add-on-permissions/AggregatedDfd-dfd.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
5 changes: 2 additions & 3 deletions examples/aws-eks-add-on-permissions/Deploy Addon-dfd
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,10 +29,9 @@ Role: Role ARN"]
"Kube API" -> "eks-pod-identity-webhook" [label="(3) Pod Spec"]
"eks-pod-identity-webhook" -> "Kube API" [label="(4) Mutated Pod Spec,
Add projected token to spec"]
"eks-pod-identity-webhook" -> "eks-pod-identity-webhook" [label="(5) Meep"]
"Kube API" -> Kubelet [label="(6) Launch Pod,
"Kube API" -> Kubelet [label="(5) Launch Pod,
Pod Spec"]
Kubelet -> "CNI Pod" [label="(7) Launch Pod,
Kubelet -> "CNI Pod" [label="(6) Launch Pod,
svcacct $acct,
Role ARN,
JWT STS Token"]
Expand Down
Binary file modified examples/aws-eks-add-on-permissions/Deploy Addon-dfd.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
15 changes: 1 addition & 14 deletions examples/aws-eks-add-on-permissions/ThreatModel.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -285,19 +285,6 @@ <h2> Deploy Addon </h2>

<td>5</td>

<td>eks-pod-identity-webhook</td>

<td>eks-pod-identity-webhook</td>

<td>Internal( Meep )</td>

</tr>


<tr>

<td>6</td>

<td>Kube API</td>

<td>Kubelet</td>
Expand All @@ -310,7 +297,7 @@ <h2> Deploy Addon </h2>

<tr>

<td>7</td>
<td>6</td>

<td>Kubelet</td>

Expand Down

0 comments on commit 3e73c0a

Please sign in to comment.